0

I created a keystore file for my PFX certificates (PKCS#12), but I need to know how many keys can be stored in a keystore file (JKS).

I'm currently loading the certificates as follows:

KeyStore oStore = KeyStore.getInstance("PKCS12");
oStore.load(new FileInputStream(AppConfig.get(AppConfig.SRC_KEY)), 
    "SECRET".toCharArray());
...
oStore.setKeyEntry(idAlias, privateKey, pwd.toCharArray(), chain);
oStore.store(new FileOutputStream(AppConfig.get(AppConfig.SRC_KEY)),  
    "SECRET".toCharArray());

Is there a limit to the number of keys and certificates I can store in this keystore?

Sergio Silva
  • 3
  • 1
atiruz
  • 2,782
  • 27
  • 36

3 Answers3

1

AFAIK there is no limit of certificates which a keystore can hold.

Bharat Sinha
  • 13,973
  • 6
  • 39
  • 63
  • But I read this [question](http://stackoverflow.com/questions/1130944/too-many-open-files-on-tomcat-keystore), and although I'm not using tomcat, but glassfish, I would be interested to know if the limitation is linux or the java keystore. – atiruz Aug 30 '12 at 17:04
  • there is a link indicating the keystore file specifications? – atiruz Aug 30 '12 at 17:05
  • I don't think so that it states about **limitation on number of certificates in a keystore** – Bharat Sinha Aug 30 '12 at 17:08
  • then I think so that I can stored more than 5000 keys in a single keystore file, it? – atiruz Aug 30 '12 at 17:19
0

I assume you are referring to the PKCS12 keystore type provided by the SunJSSE provider. This is an implementation of the PKCS #12 standard and so you can view it the same as any PKCS #12 file.

As a result, I'd suggest that the intention is for each file to contain a single private key and certificate.

If you are wanting to store many keys with certificates, I would suggest you consider using a normal keystore (rather than a PKCS #12 variant).

Duncan Jones
  • 67,400
  • 29
  • 193
  • 254
0

Is there a limit to the number of keys and certificates I can store in this keystore?

To be honest I don't know if you can actually store more that 1 private key in your PKCS12 but even if you could, it would be a really unusual use and not recommended.
These keystores are used as containers for private credentials and are not meant to be shared, which is essentially what you will be doing if you add more that one private key and its corresponding public key and chain.
These containers typically have an encryption password that is required to be used to access it and the same password is used for the private key entry. So it is not a good option to keep multiple private keys in the same container as they all will share the same password.
It might be possible that there is a provider (e.g. Bouncy Castle) that may allow you to set different passwords but this container would be completely unusable if you intent it to make it portable i.e. be used by any application as it would not expect the contents as you describe.

Update:
Your question is completely unrelated to the post you linked to. The problem in that case was that too many http-connector threads accessed the keystore file. It was a threading issue. Nothing to do with your question.

Cratylus
  • 52,998
  • 69
  • 209
  • 339
  • for now I am making testing in my software, and I was able to load more than 10 pfx certificates without problems, and then assigning an alias to obtain and use. – atiruz Aug 30 '12 at 19:35
  • the repository has a master key, and each key has a private key separately, which I have recorded in another safe place. – atiruz Aug 30 '12 at 19:38
  • The `pkcs12` is encrypted e.g. with password `1234`.You are saying that you have 10 private key entries and for each alias you have used different passwords (from the `1234` and eachother)? E.g. `567`,`789` etc? – Cratylus Aug 30 '12 at 19:43
  • that's right, you can see in the code indicated by `pwd.toCharArray()` – atiruz Aug 30 '12 at 19:50
  • Are you using Bouncy Castle?If I recall SUN's provider does **not** allows you to set different passwords.Additionally what is your use case?What you are doing is not (AFAIK) common practice `Traditionally a PKCS#12 file contains a private key, its corresponding certificate and one or more CA certificates, it can also contain a MAC for integrity testing.` (from http://www.drh-consultancy.demon.co.uk/pkcs12faq.html). – Cratylus Aug 30 '12 at 20:00
  • [http://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html](http://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html) – atiruz Aug 30 '12 at 20:12
  • What is the part you want me to look at? – Cratylus Aug 30 '12 at 20:16
  • The first part of your link says: A Keytool keystore contains **the private key** and any certificates necessary to complete a chain of trust and establish the trustworthiness of the primary certificate – Cratylus Aug 30 '12 at 20:18
  • Java Keytool also several other functions that allow you to view the details of a certificate or list the certificates contained in a keystore or export a certificate. – atiruz Aug 30 '12 at 20:22
  • There is a misunderstanding from your part here.Keystores are also used as **truststores** and the list of certificates that you see is a list of the trusted certificates (**without** private keys). Additionally you can store a private key and its associated **certificate chain**.So yes there can be many entries of (public key) certificates in a keystore.It is extremely uncommon to have more that 1 private key. – Cratylus Aug 30 '12 at 20:25
  • [Can we load multiple Certificates & Keys in a Key Store?](http://stackoverflow.com/questions/6370745/can-we-load-multiple-certificates-keys-in-a-key-store) – atiruz Aug 30 '12 at 20:56
  • I did not say it is not possible.I said it is not common case.Let's see if any collegue here, has another perspective on this – Cratylus Aug 30 '12 at 21:01