0

I have multiple client certificates (.pems without shared ca root), that I would like to convert to a single pkcs12 truststore without password for testing purposes. The truststore should not contain any private keys as it is for validating the clients only.

I tried the following:

cat client1.crt client2.crt > trusted-clients-collection
openssl pkcs12 -export -in trusted-clients-collection -nokeys -passout 'pass:' -out trusted-clients.p12

But that returned an empty truststore. Replacing -in with -certfile doesn't help either. If I omit -nokeys, then a private key is requested. If I provide that, then the private key will be in the resulting truststore. Or the following command

keytool -import -alias client1 -file client1.crt -keystore trusted-clients.p12 -storetype pkcs12 -storepass "changeit"
keytool -import -alias client2 -file client2.crt -keystore trusted-clients.p12 -storetype pkcs12 -storepass "changeit"

But that creates a truststore with a password and I couldn't find a way to use an empty password.

Is there a command to create a pkcs12 truststore from multiple pems without password? Hopefully using openssl. Or is my expectation that the pkcs12 file is a truststore off?

I'm using OpenSSL 1.1.1l as shipped by git (Bash) version 2.34.0.windows.1

Some test-certificates can be found here: https://github.com/yidongnan/grpc-spring-boot-starter/tree/master/tests/src/test/resources/certificates

ST-DDT
  • 2,615
  • 3
  • 30
  • 51
  • 1
    [This is a useful tool](https://keystore-explorer.org/) in general, and can create and populate a PKCS12 keystore with no password. – President James K. Polk Nov 21 '21 at 22:29
  • 1
    While `openssl pkcs12 -export` can create a PKCS12 containing only cert(s) not privatekey(s), Java _standard_ provider won't use that as a truststore, because it requires trustedCertEntry's to have a special Sun-defined bag attribute that OpenSSL doesn't implement. If you can use _BouncyCastle_ provider in your app(s) to read the truststore, adding `-certpbe NONE` to what you have should almost work; otherwise, aside from writing your own program (which would be ontopic) I'd go with the deceased @President's suggestion. – dave_thompson_085 Nov 22 '21 at 02:21
  • Correction: Bouncy doesn't need the Sun OID, but it _does_ need friendlyname, so (also) add `-caname $unique` for each cert. Note in `openssl pkcs12` 'ca' versus 'cl' (client) really means with-privatekey versus without and has nothing to do with actual CA-ness (like basicconstraints and policies) or client-ness versus server-ness. Boo Eric. Also note you still have a PBMAC with _empty_ password not _no_ password, if that matters. – dave_thompson_085 Nov 22 '21 at 02:44
  • I guess I will go for the keystore explorer for now. Thanks for your guidance. – ST-DDT Nov 22 '21 at 19:01
  • I still run into issues as the keystore explorer created a truststore, that was too new to be understood by some java 8/11 flavors. I specifically had to start it with J8 to create a compatible keystore. See also: https://stackoverflow.com/questions/67766268/ioexception-in-java-8-when-reading-pkcs12-keystore-created-with-keytool-from-ope – ST-DDT Nov 22 '21 at 19:32

0 Answers0