JKS vs PKCS#12 — Which Should You Use in 2026?
JKS is a proprietary Java format that Oracle has marked for deprecation. PKCS#12 is the modern, interoperable standard. Here's everything you need to know to make the right choice — and migrate safely.
What is JKS?
JKS (Java KeyStore) is a proprietary binary keystore format created by Sun Microsystems and shipped with Java since JDK 1.1. It stores private keys, certificates, and trusted CA certificates in a single file protected by a password.
For decades it was the default format for Java SSL/TLS configuration — used in Tomcat, JBoss, WebLogic, and countless enterprise applications. If you've ever run keytool -genkeypair without specifying a format, you got a JKS file.
What is PKCS#12?
PKCS#12 (also called PFX) is an industry-standard format defined by RSA and later standardised as RFC 7292. Unlike JKS, it is not tied to Java — it works with OpenSSL, Windows, macOS Keychain, browsers, and every major TLS implementation.
A .p12 or .pfx file can store private keys, certificates, and the full certificate chain in a single portable bundle.
Side-by-side comparison
| Feature | JKS | PKCS#12 |
|---|---|---|
| Standard | Proprietary (Sun/Oracle) | RFC 7292 (industry standard) |
| Cross-platform | Java only | OpenSSL, Windows, macOS, Java |
| Default in Java | JDK 1.1 – JDK 8 | JDK 9+ (as of JEP 229) |
| File extension | .jks | .p12 / .pfx |
| Chain storage | Manual, error-prone | Built-in, ordered |
| Deprecation status | Deprecated (JDK 17+) | Recommended |
| Tool support | keytool only | keytool + openssl + all others |
| Password protection | Keystore + key passwords | Single store password |
JKS deprecation — what it actually means
Starting with JDK 9 (JEP 229), Oracle changed the default keystore type from JKS to PKCS12. From JDK 17 onwards, using JKS generates a deprecation warning:
WARNING: The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using: keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -deststoretype pkcs12
JKS is not removed — it still works. But Oracle is signalling clearly that PKCS12 is the future, and future JDK versions may drop JKS support entirely.
When should you migrate?
How to migrate JKS → PKCS#12
Option 1 — keytool (simplest, built into Java)
keytool -importkeystore \ -srckeystore keystore.jks \ -srcstoretype JKS \ -srcstorepass your-jks-password \ -destkeystore keystore.p12 \ -deststoretype PKCS12 \ -deststorepass your-p12-password \ -noprompt
Option 2 — OpenSSL (for more control)
# First export the private key and cert from JKS keytool -importkeystore -srckeystore keystore.jks \ -destkeystore temp.p12 -deststoretype PKCS12 # Then rebuild with OpenSSL to include full chain openssl pkcs12 -in temp.p12 -out key.pem -nocerts -nodes openssl pkcs12 -in temp.p12 -out cert.pem -nokeys openssl pkcs12 -export \ -in cert.pem -inkey key.pem \ -certfile intermediate.pem \ -out final.p12 -name "my-cert"
Verify the migration worked
keytool -list -v -keystore keystore.p12 -storetype PKCS12 -storepass your-p12-password
Configuring Spring Boot with PKCS#12
Update your application.properties or application.yml:
# application.properties server.ssl.key-store=classpath:keystore.p12 server.ssl.key-store-type=PKCS12 server.ssl.key-store-password=your-password server.ssl.key-alias=my-cert
# application.yml
server:
ssl:
key-store: classpath:keystore.p12
key-store-type: PKCS12
key-store-password: your-password
key-alias: my-cert