Keystore without a password

Both the JVM and keytool have problems dealing with keystores without a password. If you try to get a listing of the keystore it will think you didn't provide a password and output falsehoods:

$ keytool -list -storetype pkcs12 -keystore keystoreWithoutPassword.p12
Enter keystore password:

*****************  WARNING WARNING WARNING  *****************
* The integrity of the information stored in your keystore  *
* has NOT been verified!  In order to verify its integrity, *
* you must provide your keystore password.                  *
*****************  WARNING WARNING WARNING  *****************

Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 1 entry

tammo, Oct 14, 2015, SecretKeyEntry,

It incorrectly lists our key as being a secret key, which it isn't. We are able to get the correct output by providing the (empty) password in commandline:

$ keytool -list -storetype pkcs12 -keystore keystoreWithoutPassword.p12 -storepass ""

Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 1 entry

tammo, Oct 14, 2015, PrivateKeyEntry,
Certificate fingerprint (SHA1): 7A:1C:E6:21:50:2A:6F:A6:90:3D:AA:7B:84:D7:BC:CD:D8:46:AB:11

Still we have problems when we want to use the keystore in our application. So we'll change it so it has a password. This has to be done in 2 steps. 1. We export the key and certificate to a .pem file. Import password is empty, just press enter here. But be sure to specify a PEM pass phrase. If you leave that empty, it will not export the private key.

$ openssl pkcs12 -in keystoreWithoutPassword.p12 -out tmp.pem
Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

2. Then we create a new keystore with this .pem file.

$ openssl pkcs12 -export -in tmp.pem -out keystoreWithPassword.p12
Enter pass phrase for tmp.pem:
Enter Export Password:
Verifying - Enter Export Password:

We can use keytool to check the new keystore. Use the new password here.

$ keytool -list -storetype pkcs12 -keystore keystoreWithPassword.p12
Enter keystore password:

Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 1 entry

1, Oct 14, 2015, PrivateKeyEntry,
Certificate fingerprint (SHA1): 7A:1C:E6:21:50:2A:6F:A6:90:3D:AA:7B:84:D7:BC:CD:D8:46:AB:11

After this we can remove keystoreWithoutPassword.p12 and tmp.pem source: http://wiki.bsdserver.nl/doku.php?id=misc:ssl:sslchangepwonpkcs12cert