Works for me and since the later versions of java accept both JKS and PKCS12 you do not have to specify the input store type.
java --versionopenjdk 11.0.15 2022-04-19OpenJDK Runtime Environment (build 11.0.15+10-Ubuntu-0ubuntu0.20.04.1)OpenJDK 64-Bit Server VM (build 11.0.15+10-Ubuntu-0ubuntu0.20.04.1, mixed mode, sharing) keytool -importkeystore -srckeystore bmstore.pkcs12.pem -srcstorepass changeit -destkeystore bmstore.pkcs8.x509.jks -deststorepass changeitImporting keystore bmstore.pkcs12.pem to bmstore.pkcs8.x509.jks...Entry for alias 1 successfully imported.Import command completed: 1 entries successfully imported, 0 entries failed or cancelled Warning:<1> uses the SHA1withRSA signature algorithm which is considered a security risk. This algorithm will be disabled in a future update. Mark Hack On Thu, 2022-05-19 at 12:13 +0200, Erwann Abalea via openssl-users wrote: > Bonjour, > > OpenSSL 3 changed the default ciphers used to protect the private > keys and certificates when creating a PKCS#12, to use something less > aging. > Try adding a "-legacy" when creating the PKCS#12 file with OpenSSL3 > and see if keytool can read it. > > > > On Thu, May 19, 2022 at 11:53 AM Djordje Gavrilovic < > gavrilovic...@gmail.com> wrote: > > Hi guys, > > > > I have a following issue with migrating from version 1.1.1f to > > 3.0.2: > > > > > > > > I generate bmstore.pkcs12.pem file with the following commands: > > > > > > > > ``` > > > > > > > > openssl req -newkey rsa:2048 -sha1 -keyout bmstore.pkcs8.pem > > -nodes > > > > -x509 -days 999 -out bmstore.x509.crt -subj > > > > "/C=DE/ST=Nsk/L=Nsk/O=BM/OU=BM/CN=AS" > > > > openssl pkcs12 -export -in bmstore.x509.crt -inkey > > bmstore.pkcs8.pem > > > > -out bmstore.pkcs12.pem -passin pass:changeit -passout > > pass:changeit > > > > ``` > > > > > > > > This file is genearted with different openssl versions differently. > > Both > > > > versions of the file are attached. > > > > > > > > Based on that file I generate: > > > > > > > > ``` > > > > keytool -importkeystore -srckeystore bmstore.pkcs12.pem > > -srcstoretype > > > > PKCS12 -srcstorepass changeit -destkeystore bmstore.pkcs8.x509.jks > > > > -deststorepass changeit > > > > ``` > > > > > > > > But keytool works only with the bmstore.pkcs12.pem generated with > > old > > > > version of openssl and creates bmstore.pkcs8.x509.jks > > > > > > > > The current version of openssl generates bmstore.pkcs12.pem in > > another > > > > format and keytool throws an exception: > > > > > > > > ``` > > > > Importing keystore bmstore.pkcs12.pem to bmstore.pkcs8.x509.jks... > > > > keytool error: java.io.IOException: keystore password was incorrect > > > > > > > > ``` > > > >