How to Create Passwordless PKCS 12 Truststores with Java

The default truststore format for current versions of Java is PKCS #12. As PKCS #12 can also be used for keystores it often has a password. However this makes little sense for truststores as unlike keystores they do not contain confidential data. In addition it complicates operations as a password has to be managed.

Since JDK 18 Java supports creating PKCS #12 truststores without a password through the KeyStore API.

KeyStore.store(OutputStream, null);

Earlier versions need the following two system properties in order for this to work

-Dkeystore.pkcs12.certProtectionAlgorithm=NONE -Dkeystore.pkcs12.macAlgorithm=NONE

Unfortunately this is a JVM wide setting.

marschall/truststore-maven-plugin supports generating passwordless PKCS 12 truststores since version 0.7.0 either on JDK 18 by setting the above mentioned system properties.