问题
I created a keystore file for my PFX certificates (PKCS#12), but I need to know how many keys can be stored in a keystore file (JKS).
I'm currently loading the certificates as follows:
KeyStore oStore = KeyStore.getInstance("PKCS12");
oStore.load(new FileInputStream(AppConfig.get(AppConfig.SRC_KEY)),
"SECRET".toCharArray());
...
oStore.setKeyEntry(idAlias, privateKey, pwd.toCharArray(), chain);
oStore.store(new FileOutputStream(AppConfig.get(AppConfig.SRC_KEY)),
"SECRET".toCharArray());
Is there a limit to the number of keys and certificates I can store in this keystore?
回答1:
AFAIK there is no limit of certificates which a keystore can hold.
回答2:
I assume you are referring to the PKCS12 keystore type provided by the SunJSSE provider. This is an implementation of the PKCS #12 standard and so you can view it the same as any PKCS #12 file.
As a result, I'd suggest that the intention is for each file to contain a single private key and certificate.
If you are wanting to store many keys with certificates, I would suggest you consider using a normal keystore (rather than a PKCS #12 variant).
回答3:
Is there a limit to the number of keys and certificates I can store in this keystore?
To be honest I don't know if you can actually store more that 1 private key in your PKCS12 but even if you could, it would be a really unusual use and not recommended.
These keystores are used as containers for private credentials and are not meant to be shared, which is essentially what you will be doing if you add more that one private key and its corresponding public key and chain.
These containers typically have an encryption password that is required to be used to access it and the same password is used for the private key entry. So it is not a good option to keep multiple private keys in the same container as they all will share the same password.
It might be possible that there is a provider (e.g. Bouncy Castle) that may allow you to set different passwords but this container would be completely unusable if you intent it to make it portable i.e. be used by any application as it would not expect the contents as you describe.
Update:
Your question is completely unrelated to the post you linked to. The problem in that case was that too many http-connector threads accessed the keystore file. It was a threading issue. Nothing to do with your question.
来源:https://stackoverflow.com/questions/12201672/java-keystore-file-limitations