KeyStore.load() fails with "Invalid keystore format"

Question

Code below fails every time with IOException of "Invalid keystore format" when performing the keystore.load() method. The file is loaded from the .jar file successfully. Using Java 1.8 on Windows 10 Pro. Maven is used compile and assemble the jar files and then war together and deploy to JBOSS server as a war file. I have tried .getInstance with getDefault() as well with the same error.

InputStream stream;
stream = Thread.currentThread().getContextClassLoader()
    .getResourceAsStream("cacerts.jks");
if (stream == null) {
    stream = CustomTrustManager.class.getClassLoader()
        .getResourceAsStream("cacerts.jks");
}
if(stream == null) {
    Log.error("Unable to load cacerts.jks. This is needed to make HTTPS connections to internal servers.");
    throw new NotFoundException();
}

KeyStore myTrustStore = KeyStore.getInstance("JKS");
myTrustStore.load(stream, "xxxxx".toCharArray());

The "cacerts.jks" file is generated from a self-signed server certificate "server1.crt" file using the following command:

keytool -v -import -alias devserver -file server1.crt -keystore cacerts.jks

This completes successfully and command:

keytool -list -keystore cacerts.jks
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

devserver, Aug 15, 2019, trustedCertEntry,
Certificate fingerprint (SHA1): F6:7F:C9:95:0E:B8:59:07:24:23:67:93:43:B2:C9:AA:CD:5B:AF:68

Shows no problems with keystore file. I have scanned many StackOverflow articles but none point to a solution for the issue. In debug mode the InputStream has the following format once the resource is loaded. I assume the ZipFile type is normal from loading from a .jar file.

Appreciate any insight on how to load the keystore file successfully. Thanks

StackTrace below:

2019-08-18 17:00:53,038 ERROR service.CustomTrustManager (CustomTrustManager.java:59) [default task-2] - KeyStore failed to laod
java.io.IOException: Invalid keystore format
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:658) ~[?:1.8.0_161]
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56) ~[?:1.8.0_161]
at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224) ~[?:1.8.0_161]
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70) ~[?:1.8.0_161]
at java.security.KeyStore.load(KeyStore.java:1445) ~[?:1.8.0_161]
at cinfin.thirdparty.service.CustomTrustManager.<init>(CustomTrustManager.java:57) [ThirdPartyWSCore-1.13.0.jar:1.13.0]
at cinfin.thirdparty.riskmeter.service.RiskMeterClientService.configureSSL(RiskMeterClientService.java:125) [ThirdPartyWSRiskMeter-1.0.0.jar:?]
at cinfin.thirdparty.riskmeter.service.RiskMeterClientService.getHttpClient(RiskMeterClientService.java:103) [ThirdPartyWSRiskMeter-1.0.0.jar:?]
at cinfin.thirdparty.riskmeter.service.RiskMeterClientService.getRiskMeterData(RiskMeterClientService.java:87) [ThirdPartyWSRiskMeter-1.0.0.jar:?]
at cinfin.thirdparty.riskmeter.bo.RiskMeterBo.getRiskMeterData(RiskMeterBo.java:50) [ThirdPartyWSRiskMeter-1.0.0.jar:?]
at cinfin.thirdparty.riskmeter.ws.RiskMeterService.getRiskMeterData(RiskMeterService.java:18) [ThirdPartyWSRiskMeter-1.0.0.jar:?]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_161]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_161]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_161]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_161]
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:333) [spring-aop-4.3.24.RELEASE.jar:4.3.24.RELEASE]
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:190) [spring-aop-4.3.24.RELEASE.jar:4.3.24.RELEASE]
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157) [spring-aop-4.3.24.RELEASE.jar:4.3.24.RELEASE]
at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:84) [spring-aop-4.3.24.RELEASE.jar:4.3.24.RELEASE]
at cinfin.thirdparty.metering.bo.MeteringAspectImpl.performVendorCall(MeteringAspectImpl.java:64) [ThirdPartyWSCore-1.13.0.jar:1.13.0]
at cinfin.thirdparty.metering.bo.MeteringAspectImpl.aroundMeteredAnnotationAdvice(MeteringAspectImpl.java:33) [ThirdPartyWSCore-1.13.0.jar:1.13.0]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_161]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_161]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_161]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_161]
at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:627) [spring-aop-4.3.24.RELEASE.jar:4.3.24.RELEASE]
at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:616) [spring-aop-4.3.24.RELEASE.jar:4.3.24.RELEASE]
at org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:70) [spring-aop-4.3.24.RELEASE.jar:4.3.24.RELEASE]
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:168) [spring-aop-4.3.24.RELEASE.jar:4.3.24.RELEASE]
at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:92) [spring-aop-4.3.24.RELEASE.jar:4.3.24.RELEASE]
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179) [spring-aop-4.3.24.RELEASE.jar:4.3.24.RELEASE]
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:213) [spring-aop-4.3.24.RELEASE.jar:4.3.24.RELEASE]
at com.sun.proxy.$Proxy206.getRiskMeterData(Unknown Source) [?:?]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_161]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_161]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_161]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_161]
at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:180) [cxf-core-3.1.10.jar:3.1.10]
at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96) [cxf-core-3.1.10.jar:3.1.10]
at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:189) [cxf-rt-frontend-jaxrs-3.1.10.jar:3.1.10]
at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:99) [cxf-rt-frontend-jaxrs-3.1.10.jar:3.1.10]
at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:59) [cxf-core-3.1.10.jar:3.1.10]
at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:96) [cxf-core-3.1.10.jar:3.1.10]
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) [cxf-core-3.1.10.jar:3.1.10]
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) [cxf-core-3.1.10.jar:3.1.10]
at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:262) [cxf-rt-transports-http-3.1.10.jar:3.1.10]
at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234) [cxf-rt-transports-http-3.1.10.jar:3.1.10]
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208) [cxf-rt-transports-http-3.1.10.jar:3.1.10]
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160) [cxf-rt-transports-http-3.1.10.jar:3.1.10]
at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:180) [cxf-rt-transports-http-3.1.10.jar:3.1.10]
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:299) [cxf-rt-transports-http-3.1.10.jar:3.1.10]
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:223) [cxf-rt-transports-http-3.1.10.jar:3.1.10]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:687) [jboss-servlet-api_3.1_spec-1.0.0.Final-redhat-1.jar!/:1.0.0.Final-redhat-1]
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:274) [cxf-rt-transports-http-3.1.10.jar:3.1.10]
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) [undertow-servlet-1.3.31.Final-redhat-3.jar!/:1.3.31.Final-redhat-3]
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) [undertow-servlet-1.3.31.Final-redhat-3.jar!/:1.3.31.Final-redhat-3]
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) [undertow-servlet-1.3.31.Final-redhat-3.jar!/:1.3.31.Final-redhat-3]
at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) [wildfly-undertow-7.0.9.GA-redhat-3.jar!/:7.0.9.GA-redhat-3]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.3.31.Final-redhat-3.jar!/:1.3.31.Final-redhat-3]
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) [undertow-servlet-1.3.31.Final-redhat-3.jar!/:1.3.31.Final-redhat-3]
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) [undertow-servlet-1.3.31.Final-redhat-3.jar!/:1.3.31.Final-redhat-3]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.3.31.Final-redhat-3.jar!/:1.3.31.Final-redhat-3]
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) [undertow-core-1.3.31.Final-redhat-3.jar!/:1.3.31.Final-redhat-3]
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) [undertow-servlet-1.3.31.Final-redhat-3.jar!/:1.3.31.Final-redhat-3]
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) [undertow-core-1.3.31.Final-redhat-3.jar!/:1.3.31.Final-redhat-3]
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) [undertow-servlet-1.3.31.Final-redhat-3.jar!/:1.3.31.Final-redhat-3]
at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) [undertow-core-1.3.31.Final-redhat-3.jar!/:1.3.31.Final-redhat-3]
at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) [undertow-core-1.3.31.Final-redhat-3.jar!/:1.3.31.Final-redhat-3]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.3.31.Final-redhat-3.jar!/:1.3.31.Final-redhat-3]
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) [wildfly-undertow-7.0.9.GA-redhat-3.jar!/:7.0.9.GA-redhat-3]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.3.31.Final-redhat-3.jar!/:1.3.31.Final-redhat-3]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.3.31.Final-redhat-3.jar!/:1.3.31.Final-redhat-3]
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285) [undertow-servlet-1.3.31.Final-redhat-3.jar!/:1.3.31.Final-redhat-3]
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264) [undertow-servlet-1.3.31.Final-redhat-3.jar!/:1.3.31.Final-redhat-3]
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) [undertow-servlet-1.3.31.Final-redhat-3.jar!/:1.3.31.Final-redhat-3]
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175) [undertow-servlet-1.3.31.Final-redhat-3.jar!/:1.3.31.Final-redhat-3]
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:324) [undertow-core-1.3.31.Final-redhat-3.jar!/:1.3.31.Final-redhat-3]
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:803) [undertow-core-1.3.31.Final-redhat-3.jar!/:1.3.31.Final-redhat-3]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_161]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_161]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_161]

When I use the keytool it prompts for password so shouldn't it be used when loading? Other examples show it being passed as well. — Richard Wheeler, Aug 18 '19 at 12:43
Had a similar problem once. Root cause was that a class was loaded twice by two different class loader. — AndiCover, Aug 20 '19 at 12:53
Have you tried using portecle (http://portecle.sourceforge.net/) ? It is nice GUI for java keystores. You will know if issue is with the file or with your code/environment/ jvm. — Sankozi, Aug 20 '19 at 13:29
I posted the result of testing the file it indicates it is fine. — Richard Wheeler, Aug 20 '19 at 13:33
Were the `keytool` used to create and manually examine the keystore the _same_ 1.8 version and with the same config (specifically JRE/lib/security/java.security file), or different? There were changes to keystore handling between early 8, late 8, and 9 up. Can you show a hex dump of the first 10 bytes or so of the file? @Andreas: wrong password never throws 'invalid format', it throws 'tampered or password incorrect' — dave_thompson_085, Aug 20 '19 at 16:18
Using Java 1.8 through all steps. When using keytool it prompts for password which works. First 10 bytes are: FE ED FE ED 00 00 00 02 00 00 — Richard Wheeler, Aug 20 '19 at 16:55
FEEDFEED is fine (it's the magic number for JKS format). You could extract the JKS file from the jar and test it with keytool to make sure it was not somehow modified when packaging. — Omikron, Aug 21 '19 at 09:45
Here is the first 10 bytes of the same file from the .jar file: EF BF BD EF BF BD EF BF BD EF — Richard Wheeler, Aug 21 '19 at 12:30
Try making sure that the cert password matches the keystore password: `keytool -keypasswd -keystore "foo/bar/cacerts.jks" -alias devserver -storepass "xxxxx" -keypass "?????" -new "xxxxx"`. Not sure why that comes to mind but I think I've had to do something like that in my experiences with keystores.. — xtratic, Aug 22 '19 at 20:42
How about sharing your keystore file? According to your comment it is only used to connect to an internal HTTPS server, i.e. for trusting the server from the client side. Thus I am assuming it only contains a public key, no private keys. So there is absolutely no issue for you in sharing it. I can take a look then. — kriegaex, Aug 23 '19 at 07:35
EF BF BD is the **UTF-8** encoding of U+FFFD 'replacement'. This looks like whatever built your JAR, or perhaps some step 'preparing' the files _for_ the JAR, is treating this data as **text** which it is not, and thus badly garbling it. — dave_thompson_085, Aug 24 '19 at 11:51
Can you please post your `pom.xml`? I think during the build process, maven is corrupting your keystore.The `magic number` or the `version` of the file is not matching. The first 4 bytes of the file is the magic number while the next 4 bytes is the version number. If the either of the number doesn't match, the Java Keystore throws an invalid exception. — Indra Basak, Aug 27 '19 at 03:28
I'm gonna take a step back here and just ask: Why do you want to solve it like this? If it is an ssl-certificate, why not just add it to the default truststore used by the JVM, alternatively create a truststore based on the default, add the cert and use -Djava.net.ssl.trustStore on startup? — Tobb, Aug 27 '19 at 12:36

score 6 · Answer 1 · answered Aug 26 '19 at 14:18

The binary JKS file was probably filtered by the Maven Resources Plugin, which resulted in a corrupted file and is a pretty common problem:

Maven corrupts WAV file when copying to Java resource dir during build

Maven corrupting binary files in source/main/resources when building jar

generated certificate stops working when moved to resources folder

The binary file was basically treated as a text file and therefore the file in the jar starts with UTF-8 characters (0xEFBFBDEFBFBD) instead of the magic number for JKS (0xFEEDFEED).

The Resources Plugin documentation contains an explicit warning:

Do not filter files with binary content like images! This will most likely result in corrupt output.

Possible solutions are:

Split the resources folder into one that is filtered and one that is not (see here)
Globally disable filtering of files with extension .jks (see here)

score 1 · Answer 2 · answered Aug 27 '19 at 12:13

be sure esclude from filtering your keystore file jks

like

<resources>
            <resource>
                <directory>src/main/resources</directory>
                <filtering>true</filtering>
                <excludes>
                    <exclude>**/*.jks</exclude>
                </excludes>
            </resource>
            <resource>
                <directory>src/main/resources</directory>
                <filtering>false</filtering>
                <includes>
                    <include>**/*.jks</include>
                </includes>
            </resource>
        </resources>

score 1 · Answer 3 · answered Aug 13 '20 at 16:23

Based on Omikrom answer:

The binary file was basically treated as a text file and therefore the file in the jar starts with UTF-8 characters (0xEFBFBDEFBFBD) instead of the magic number for JKS (0xFEEDFEED).

I added these two lines in properties section on my pom.xml file

<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>

it did the job

kriegaex · Answer 4 · 2019-08-24T12:14:17.860

Disclaimer: This is not a complete answer yet but I need a tool for discussing with the OP. If this does not lead to a solution I will delete the answer again.

I replicated your situation in a POJO like this:

$ openssl req -new -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out MyCertificate.crt -keyout MyKey.key
(answer all questions with RETURN = accept defaults)

$ keytool -v -import -alias devserver -file MyCertificate.crt -keystore src/main/resources/cacerts.jks -storetype JKS
Enter keystore password:  testtest
Re-enter new password: testtest
(...)
Trust this certificate? [no]:  yes
Certificate was added to keystore
[Storing src/main/resources/cacerts.jks]

$ keytool -list -keystore src/main/resources/cacerts.jks
Enter keystore password:  testtest
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

devserver, 24.08.2019, trustedCertEntry,
Certificate fingerprint (SHA-256): A2:E1:49:FB:9C:26:6B:8A:21:45:A4:AA:F4:86:A0:A7:82:B8:08:BE:75:A6:BF:E8:F5:13:9E:31:23:8E:B0:71

Now create a class in a Maven JAR module similar to the code shown by the OP:

package de.scrum_master.stackoverflow;

import java.io.IOException;
import java.io.InputStream;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;

public class CustomTrustManager {
  public static void main(String[] args) throws KeyStoreException, CertificateException, NoSuchAlgorithmException, IOException {
    InputStream stream;
    stream = Thread.currentThread().getContextClassLoader().getResourceAsStream("cacerts.jks");
    System.out.println(stream);
    if (stream == null) {
      stream = CustomTrustManager.class.getClassLoader().getResourceAsStream("cacerts.jks");
    }
    if(stream == null) {
      System.out.println("Unable to load cacerts.jks. This is needed to make HTTPS connections to internal servers.");
      throw new RuntimeException("Keystore not found");
    }

    KeyStore myTrustStore = KeyStore.getInstance("JKS");
    myTrustStore.load(stream, "testtest".toCharArray());
    System.out.println("Keystore loaded");
  }
}

Now build the project with mvn clean package and run it:

$ java -cp target/my-sample-1.0-SNAPSHOT.jar de.scrum_master.stackoverflow.CustomTrustManager
sun.net.www.protocol.jar.JarURLConnection$JarURLInputStream@3d4eac69
Keystore loaded

So basically your approach should work. If it does not it could be connected to

class-loading (but I don't think so as the key store seems to be found fine),
AspectJ (or rather just Spring AOP) stuff I see in your call stack (also unlikely),
your own custom trust manager or whatever your "riskmeter" classes do.

Please check if the exact same keystore you use in your application works from a simple JAR like in my example, no container or other fancy stuff. If it does, you know the problem is not your key store.

Then please provide some feedback here.

You created a **PKCS12** (NOT JKS) keystore, even though you named it `.jks`, probably by using Java 9 or higher `keytool`. You then tried to read it as JKS, which should and did fail. Everything else here is irrelevant. — dave_thompson_085, Aug 24 '19 at 11:52
Firstly, the PKCS12 keystore loading with parameter "JKS" did **not** fail, otherwise I would not have posted a log without error. Have you even tried reproducing what I did? Secondly, I have created a new keystore, this time with additional parameter `-storetype JKS`. I have also updated the log output, you see it is still working, the keystore is loaded just fine. So again I am asking the OP for his keystore in order to help us reproduce his problem. My solution works and it actually uses the OP's code. — kriegaex, Aug 24 '19 at 12:18
Or maybe the OP tells us with which OpenSSL (or other tool) command line he generated the certificate. — kriegaex, Aug 24 '19 at 12:20
OP told us they used "Java 1.8" and more specifically "Java 1.8.0_161 64 bit" plus told us the _file_ begins FEED FEED (which _is_ the magic number for JKS) but the _jar entry_ does _not_. Sorry, when you said you replicated I thought you replicated the exception (but looking more closely I see you didn't), and I also didn't notice Oracle kept 'keystore.type.compat=true' in 9-12, they just moved it to conf/security where I wasn't looking for it, so yes a JKS provider (stil) can actually read PKCS12. — dave_thompson_085, Aug 25 '19 at 16:48
I am just showing what normally should work. The OP can use the keystore from her JAR and test it outside of the container with my [MCVE](https://stackoverflow.com/help/mcve) in order to get more information for us. This way we would know for sure if something is wrong with the keystore as such, which as you said might mean that the build/packagin process is somehow broken. But if her extracted keystore works with my example, something is f***ed up with resource classloading or filtering, as I said before. We cannot know for sure if she does not try and provide feedback. — kriegaex, Aug 26 '19 at 07:50

KeyStore.load() fails with "Invalid keystore format"

4 Answers4