Liberty default keystore type changed to PKCS12

The default keystore type changed from JKS to PKCS12. The PKCS12 keystore type is an industry standard that can be easier to use with other products, like OpenSSL or browser products.

JKS keystore files are still supported. If a server has an existing configuration that uses a JKS keystore file, the server continues to use and load the JKS keystore file.

You can optionally convert existing JKS keystore files to PKCS12 keystore files. The following example shows how to use the keytool command to do the conversion:

keytool -importkeystore -srckeystore key.jks -srcstorepass <password> -destkeystore key.p12 -destkeystorepass <password> -deststoretype PKCS12

If you use a minimal SSL configuration and your configuration does not use a key.jks file, the default keystore type is PKCS12. The following example shows a minimal SSL configuration.

<keyStore id="defaultKeyStore" password=<my password> />

The default PKCS12 keystore is created in the resources/security directory as the key.p12 file when the server starts. However, if your configuration uses the key.jks file, then no PKCS12 file is created. The server uses this existing JKS keystore file instead.

To ensure that Liberty uses the key.p12 keystore file, remove any key.jks keystore file that might be in the resources/security directory. If both the key.p12 and key.jks keystore files are in the directory, Liberty tries to use the key.jks keystore file in the minimal SSL configuration for compatibility reasons. A warning message is produced to indicate that both keystore files exist and that the key.jks keystore file is being used.