KeyStore API throws error : java.security.KeyStoreException: BCFIPS JKS store is read-only and only supports certificate entries

Question

I have created a JKS trust-store for an application. (PKCS12 is not yet supported by the OpenJDK in production server)

I am trying to add a certificate to the truststore using the KeyStore API:

public addToTrustStore(List<String> certChain) {
String alias;
try {
    KeyStore keyStore = loadTruststore();
    for (String cert : certChain) {
        alias = UUID.randomUUID().toString();
        X509Certificate certificate = decodePEMCertificate(cert); // converts PEM format to X509Certificate
        keyStore.setCertificateEntry(alias, certificate);
        logger.debug("Added the certificate with DN: {0} to the "
                + "truststore with the alias: {1}", certificate.getSubjectDN());
        }
    } catch (KeyStoreException a) {
        //process execption
    }

}

Can anyone help me get past this red-only nature of this JKS?

Thanks in advance.

Answer 1

Solution: Summary : Bouncycastle doesn't permit write to JKS keystores. So we need to use BCFKS format keystore.

You can use the providers:

1. org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider, for FIPS compliance
2. org.bouncycastle.jce.provider.BouncyCastleProvider

The keytool commands that worked for me:

Create keystore:

keytool -import -file pem.cert -alias "vmware" -storepass changeit -keystore truststore.bks -deststoretype BCFKS -noprompt -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath bc-fips-1.0.2.jar

Delete an entry:

keytool -delete -alias boguscert -storepass changeit -keystore truststore.bks -storetype BCFKS -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath bc-fips-1.0.2.jar