Monday, August 6, 2007

How To - Creating PKCS12 certificate store with BouncyCastle provider

PKCS12 certificate store can be created using various tools such as Java keytool, Microsoft Certificate Authority Service, and OpenSSL.
When Java keytool is used to create PKCS12 store, it creates using the Sun provider.

The following instructions allow you to create a PKCS12 store with BouncyCastle provider.

  1. Modify java.security file under JRE_HOME/lib/security directory to include BouncyCastle as the security provider.
    Add the following entry under the section "List of providers and their preference orders", security.provider.x=org.bouncycastle.jce.provider.BouncyCastleProvider.
    Make sure the entry is added above security.provider.x+1=com.sun.net.ssl.internal.ssl.Provider
    (Here x is the index of the sequence of service providers.)

  2. Put BouncyCastle jar under JRE_HOME/lib/ext directory.
    Tip: If using OWSM, instead of downloading you can copy it from ORACLE_HOME/owsm/lib/extlib/bcprov-jdk14-119.jar

  3. Run keytool from JRE_HOME/bin directory.
    keytool -genkey -v -alias aprivatekey -keyalg RSA -keystore
    mykeystore.p12 -storepass changeit -storetype pkcs12 -provider org.bouncycastle.jce.provider.BouncyCastleProvider
Contributed by Rohit Soni