On Mon, 22 Sep 2025 22:47:10 GMT, Weijun Wang <[email protected]> wrote:
>> Then you can't read in an old keystore and write it back out as a PBMAC1 >> keystore? >> >> I thought the PBE* security property value, if present, applied to all >> keystore writes. > > It writes back using the original Mac algorithm. > > If you really want to "upgrade" a keystore, run `keytool -importkeystore`. Another iteration on this (sigh). This sequence now works: keytool -keystore ks -keyalg ec -storepass changeit -genkeypair -alias a -dname CN=a -J-Dkeystore.pkcs12.macAlgorithm=PBEWithHmacSHA512 keytool -keystore ks -keyalg ec -storepass changeit -genkeypair -alias b -dname CN=b -J-Dkeystore.pkcs12.macAlgorithm=PBEWithHmacSHA256 keytool -importkeystore -srckeystore ks -storepass changeit -destkeystore ks.new -J-Dkeystore.pkcs12.macAlgorithm=PBEWithHmacSHA256 ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/24429#discussion_r2373906624
