JDK-7109096 : keytool -genkeypair needn't call -selfcert
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 8
  • Priority: P4
  • Status: Closed
  • Resolution: Fixed
  • OS: generic
  • CPU: generic
  • Submitted: 2011-11-07
  • Updated: 2014-08-05
  • Resolved: 2011-11-29
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
7u40Fixed 8 b15Fixed
Related Reports
Relates :  
keytool uses CertAndKeyGen to generate a basic self-signed certificate with no extensions. When -ext option was introduced, -genkeypair was implemented as original -genkeypair plus -selfcert, and extensions info was added in the -selfcert step.

This means the keystore object is modified twice in this single operation. In the case of PKCS11 or MSCAPI, it is actually written to the token twice. If a token can only be written once, the action will fail.

noreg-cleanup hence not verified

EVALUATION http://hg.openjdk.java.net/jdk8/tl/jdk/rev/52be75d060f9