The title says it all. It this possible at all or am I getting the idea of this hole thing wrong?
+2
A:
A PKCS#12 file can contain various objects, but usually it contains certificates and private keys. A certificate is a container for a public key and other things, including a signature.
A root CA is often represented as a certificate (with a dummy signature, traditionally a self-signature). What makes such a certificate a "root CA" is a programmatic property, in which an application or an operating system declares: "in this certificate I trust".
It is possible to store a root CA certificate in a PKCS#12 file. What cannot be done is to store it as a "root": the certificate goes in the file, not the property which declares that the certificate is to be trusted ex nihilo. In more details, PKCS#12 is an open format but if you want to store something in a PKCS#12 file and have it read properly on the other end, then there must exist some sort of convention on how the object bits are to be interpreted. Such a convention does not exist (yet) for PKCS#12 files and trust settings.
You do not state which language you are using; I am assuming Java. In Java, there is a KeyStore class, obtained with a given "type", one of them being "pkcs12". You may then find, in the JCA documentation (in "Key Management"), the following:
As of JDK 6, standards for storing Trusted Certificates in "pkcs12" have not been established yet, and thus "jks" or "jceks" should be used for trusted certificates.
which says it all.
Thomas Pornin
2010-01-27 14:31:18
the problem is I am trying to Encrypt a mail using this http://javamail-crypto.sourceforge.net/ and when I try to import sth else then a pkcs12 keystore I get following exception:java.io.IOException: stream does not represent a PKCS12 key store
woezelmann
2010-01-27 14:48:23
for those who are interessted - i found this tool http://sourceforge.net/projects/portecle/ and i does exactly what i want :D
woezelmann
2010-01-28 09:01:17