Is keytool still necessary to create a PKCS12 keystore from a PKCS12 keystore created by OpenSSL from Let's Encrypt pem files?

Question

I use Java 11 (AdoptOpenJDK), keytool uses PKCS12 by default since Java 9, I need a PKCS12 keystore for Jetty 11. Let's Encrypt gives me two pem files. Therefore, I convert those 2 pem files into a PKCS12 keystore with OpenSSL and I use keytool as advised in a tutorial:

openssl pkcs12 -export -inkey /etc/letsencrypt/live/$domainName/privkey.pem -in /etc/letsencrypt/live/$domainName/fullchain.pem -out /etc/letsencrypt/live/$domainName/jetty.pkcs12 -passout "pass:$srcKeystorePassword"
keytool -importkeystore -noprompt -srckeystore /etc/letsencrypt/live/$domainName/jetty.pkcs12 -srcstoretype PKCS12 -srcstorepass $srcKeystorePassword -destkeystore /etc/letsencrypt/live/$domainName/keystore -deststorepass $destKeystorePassword

Isn't the second line useless (except to use another password)? I can't check it by myself right now because I exceeded the weekly limit of Let's Encrypt yesterday and I didn't keep the created pem files. I wrote a script to ease self-hosting, I'd like to remove any unnecessary steps from it.

Could I simply copy the PKCS12 keystore created by OpenSSL? Is there anything subtle I'm missing?

Answer 1

keytool is necessary for the application servers or softwares supporting only JKS but it's no longer necessary in my case as Jetty 11 supports PKCS12.

Note that keytool uses PKCS12 by default since Java 9 (i.e when you don't force the store type) but it was already possible to use this store type as an option with -storetype pkcs12 since Java 6 (maybe even in earlier versions).