AnsweredAssumed Answered

AWI Create Keystore File: Questions about SHA-256 and PKSC12

Question asked by MartinZeise-Kaucic603598 on Oct 12, 2018
Latest reply on Oct 15, 2018 by Carsten_Schmitz



in AWA-Help 12.2


under Securing Access with HTTPS in subchapter Create a Keystore File for Your Tomcat Installation is written, that I should use SHA-256 instead of SHA-1: 


"….Warning! SHA-1 certificates are considered to be unsafe by modern browsers. Use SHA-256 instead"


"%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA -keystore tomcat-keystore.jks -storepass myTomcatKeystorePassword


Question 1:

- Which parameter  of the program keytool do I have to modify or add, that i use SHA-256? 


Question 2:

I have adopted the command "%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA -keystore tomcat-keystore.jks -storepass myTomcatKeystorePassword I only changed the Password and the Java path. After the creation of the file tomcat-keystore.jks I got following message in mein CLI: 



Der JKS-Keystore verwendet ein proprietäres Format. Es wird empfohlen, auf PKSC12 zu migrieren, das ein Industriestandardformat mit "keytool -importkeystore -srckeystore tomcat-keystore.jks -destkeystore tomcat-keystore.jks -deststoretype pkcs12" ist.


UK/US (my own translation)

The JKS-Keystore use a proprietary format. It is recommended to migrate to PKSC12, that is an default industrial format with "keytool -importkeystore -srckeystore tomcat-keystore.jks -destkeystore tomcat-keystore.jks -deststoretype pkcs12".


Has this message anything got to do with my first question (Q1: SHA-256 instead of SHA-1)?

- What is PKCS12?

- Are there any secrutiy reasons to switch over to PKCS12?

- How do I switch over to  pkcs12?


In the same page it's something written about PKSC12, but I should skip this because "...Skip this step if you are using the self-signed certificate created in the previous step.". I skipped it, because I use a self-signed certificate.


Question 3

Can I see afterwards if I use SHA-256 and PKSC12 (where can I verify it?)



Yours sincerely/Mit freundlichen Grüßen

Martin Zeise-Kaucic