Before considering migrating the platform default keystore format to PKCS12 its keystore implementation must at least match the functionality of JKS.
I have developed a prototype of a multi-format keystore that understands both JKS and PKCS12 formats - it checks for the JKS magic number to determine the format. By supporting both formats, existing applications that access keystores using the platform default keystore format, continue to function as expected. In addition, storing trusted certs in PKCS12 is now supported. I've selected the X.509 extendedKeyUsage attribute to explicitly denote that a certificate is trusted - its default value is trusted-for-any-purpose. This well-known attribute is stored with the certificate in a PKCS12 certBag. Webrev: http://cr.openjdk.java.net/~vinnie/jdk8-multi/webrev/ Please send me any comments. Thanks.
