You have likely landed on this page because you have renewed a certificate, generated a new keystore with newer cryptographic functions unknowingly, and installed the new keystore on your existing web server, likely Apache Tomcat.
Specifically, you may encounter issues if you generate a new keystore with OpenSSL 3 or with Java keytool version 16 or greater. Older versions of Java including Java 8 and Java 11 do not support the newer cryptographic functions.
This article uses Java 8 and Tomcat as an example. Depending on your stack, you may encounter an issue similar to the following on a restart.
Exception in thread "main" java.security.UnrecoverableKeyException: Private key not stored as PKCS#8 EncryptedPrivateKeyInfo: java.io.IOException:
Unfortunately, the error is misleading and doesn’t point to the direct cause. To overcome this error you need to create a new keystore with older cryptography algorithms.
To create a legacy keystore to be used in Java 11, Java 8, or older, use the -J-Dkeystore.pkcs12.legacy option. You can try using the openssl legacy commands, but the security providers do not always align and you may still encounter the same issue. To convert your existing keystore into a new keystore with legacy security algorithms using the Java keytool, run the following command.
keytool -importkeystore -srckeystore new-crypt.pfx -destkeystore old-crypt.pfx -srcstoretype PKCS12 -deststoretype PKCS12 -deststorepass changeit -J-Dkeystore.pkcs12.legacy
The keystore should now be usable by older versions of Java.
Conclusion – java keystore pkcs12 legacy
This article has demonstrated how to resolve the java keystore pkcs12 legacy errors. Let us know in the comments if you have any questions or would like to see additional examples.
As one final caution, it is not considered a best practice to continue using legacy keystores in modern applications. If the same key pair is being used in multiple locations as may be the case with wildcard certificates, make sure to use a keystore with modern cryptography in applications that support it.