What is PKCS12?

manukam profile image Manuka Maduranga ・2 min read


Whenever we talk about secure communication over networks, keywords such as "SSL", "Keystores", "JKS" pop up frequently.
Typically keystores and trust stores are used when our applications need to communicate securely over SSL/TLS.
For more details about how communication over SSL works, follow the blog mentioned below.

SSL Certificates

These keystores and trust stores are password-protected files that reside on the same file system as the application. The default and the most widely used format for these files are JKS (Java Keystore). At least that was the case until Java 8.

With Java 9, the default Keystore format was changed from JKS to PKCS12. The most noteworthy difference between JKS and PKCS12 is that while JKS was a format specific to Java, PKCS12 is a standardized and language-neutral way of storing encrypted private keys and certificates.
Here's an excerpt from the official definition -

"A PKCS12(Public-Key Cryptography Standards) defines an archive file format for storing server certificates, intermediate certificate if any, and private key into a single encryptable file"

So why did Java 9 made PKCS12 the default?

  • Secret keys, private keys, and certificates can be stored
  • PKCS12 is a standard format, it can be read by other programs and libraries while JKS is java specific.
  • Improved security: JKS is pretty insecure. This can be seen by the the number of tools for brute-forcing passwords of this Keystore types, especially popular among Android developers [1].

If you're working in Java then the Java Key Store is a fairly natural place to store private keys. Java applications typically expect to get the keys they need from JKS, and it's easy to access from your own Java apps. JKS is not accessible from outside Java though.
PKCS12 (aka PFX) files, on the other hand, are language-neutral and is more secure and has been around long enough that it's supported just about everywhere.
If you want to convert JKS (.jks) Keystore to a PKCS12 (.p12) Keystore, you can do so by executing the following command.

keytool -importkeystore -srckeystore [MY_KEYSTORE.jks] -destkeystore [MY_FILE.p12] -srcstoretype JKS - deststoretype PKCS12 -deststorepass [PASSWORD_PKCS12]

  • [MY_KEYSTORE.jks]: The path to the Keystore that you want to convert.
  • [MY_FILE.p12]: path to the PKCS12 file (.p12 or .pfx extension) that is going to be created.
  • [PASSWORD_PKCS12]: The password that will be requested at the PKCS12 file opening.

At the end of the day, the decision on what Keystore type to use should be based on how you plan to use the private key - that is: what applications will need to use the private key and what format(s) of key store do they already handle. PKCS12 is a more flexible and secure option.
Thank you for reading up until the end, if you have any questions regarding this feel free to mention them in the comments.

[1] - https://www.ndss-symposium.org/wp-content/uploads/2018/02/ndss2018_02B-1_Focardi_paper.pdf


Editor guide