How to create an empty java trust store?

Using keytool, create a random key pair:

keytool -genkeypair -alias boguscert -storepass storePassword -keypass secretPassword -keystore emptyStore.keystore -dname "CN=Developer, OU=Department, O=Company, L=City, ST=State, C=CA"

then delete it

keytool -delete -alias boguscert -storepass storePassword -keystore emptyStore.keystore

review its contents:

$ keytool -list -keystore emptyStore.keystore -storepass storePassword
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 0 entries

One possible solution I found is to import some random certificate into a newly created trust store with keytool import and then delete the imported certificate from it. This leaves you with an empty key/trust store. Unfortunately the JVM is not happy with an empty trust store and throws an exception upon that. So at least one certificate should be present there which could be any invalid or expired one in order to achieve the goal.


You may pass a null argument to KeyStore::load to create an empty keystore. See https://docs.oracle.com/javase/8/docs/api/java/security/KeyStore.html#load-java.io.InputStream-char:A-


if someone eventually reaches here again:

  public static void main (String[] args) {
    String storePassword = "storePassword";
    String storeName = "emptyStore.jks";
    String storeType = "jks";
    try (FileOutputStream fileOutputStream = new FileOutputStream(storeName)) {
      KeyStore keystore = KeyStore.getInstance(storeType);
      keystore.load(null, storePassword.toCharArray());
      keystore.store(fileOutputStream, storePassword.toCharArray());
    } catch (CertificateException | NoSuchAlgorithmException | IOException | KeyStoreException e) {
      e.printStackTrace();
  }

then check the content with keytool:

$ keytool -list -keystore emptyStore.jks -storepass storePassword
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 0 entries