This article will detail how to troubleshoot and correct the java keystore pkcs12 legacy issues with keystores generated with newer cryptographic algorithms and older versions of Java.
If you have encountered these issues with OpenSSL instead of the Java keytool, read our article specifically for openssl pkcs 12 legacy keystore functions.
You have likely landed on this page because you have renewed a certificate, generated a new keystore with newer cryptographic functions unknowingly, and installed the new keystore on your existing web server, likely Apache Tomcat.
Specifically, you may encounter issues if you generate a new keystore with OpenSSL 3 or with Java keytool version 16 or greater. Older versions of Java including Java 8 and Java 11 do not support the newer cryptographic functions.
This article uses Java 8 and Tomcat as an example. Depending on your stack, you may encounter an issue similar to the following on a restart.
Exception in thread "main" java.security.UnrecoverableKeyException: Private key not stored as PKCS#8 EncryptedPrivateKeyInfo: java.io.IOException:Unfortunately, the error is misleading and doesn’t point to the direct cause. To overcome this error you need to create a new keystore with older cryptography algorithms.
-J-Dkeystore.pkcs12.legacy
To create a legacy keystore to be used in Java 11, Java 8, or older, use the -J-Dkeystore.pkcs12.legacy option. You can try using the openssl legacy commands, but the security providers do not always align and you may still encounter the same issue. To convert your existing keystore into a new keystore with legacy security algorithms using the Java keytool, run the following command.
keytool -importkeystore -srckeystore new-crypt.pfx -destkeystore old-crypt.pfx -srcstoretype PKCS12 -deststoretype PKCS12 -deststorepass changeit -J-Dkeystore.pkcs12.legacyThe keystore should now be usable by older versions of Java.
Conclusion – java keystore pkcs12 legacy
This article has demonstrated how to resolve the java keystore pkcs12 legacy errors. Let us know in the comments if you have any questions or would like to see additional examples.
As one final caution, it is not considered a best practice to continue using legacy keystores in modern applications. If the same key pair is being used in multiple locations as may be the case with wildcard certificates, make sure to use a keystore with modern cryptography in applications that support it.
Leave a Reply