Import public key from trusted root CA to PKCS12 key store

Question

How do I import a public key from trusted root CA to PKCS12 key store?

Is this possible at all or am I getting the idea of this whole thing wrong?

Answer 1

A PKCS#12 file can contain various objects, but usually it contains certificates and private keys. A certificate is a container for a public key and other things, including a signature.

A root CA is often represented as a certificate (with a dummy signature, traditionally a self-signature). What makes such a certificate a "root CA" is a programmatic property, in which an application or an operating system declares: "in this certificate I trust".

It is possible to store a root CA certificate in a PKCS#12 file. What cannot be done is to store it as a "root": the certificate goes in the file, not the property which declares that the certificate is to be trusted ex nihilo. In more details, PKCS#12 is an open format but if you want to store something in a PKCS#12 file and have it read properly on the other end, then there must exist some sort of convention on how the object bits are to be interpreted. Such a convention does not exist (yet) for PKCS#12 files and trust settings.

You do not state which language you are using; I am assuming Java. In Java, there is a KeyStore class, obtained with a given "type", one of them being "pkcs12". You may then find, in the JCA documentation (in "Key Management"), the following:

As of JDK 6, standards for storing Trusted Certificates in "pkcs12" have not been established yet, and thus "jks" or "jceks" should be used for trusted certificates.

which says it all.