One major difference between JKS and PKCS12 keystores generated by Java is that JKS contains plaintext certificates but PKCS12 has them encrypted. This has been the major obstacle to fully switch from JKS to PKCS12, especially for the cacerts file where it's all public info and there is no benefit encrypting the certificates and then publicize the password to the whole world. This enhancement proposes changing the default pbecert algorithm to NONE (Precisely, keystore.pkcs12.certProtectionAlgorithm in java.security). This means for newly created pkcs12 files, 1) keys still protected by individual passwords. 2) certs in plaintext, and 3) MacData for integrity check. This would align pkcs12 with the same feature as JKS and make it more friendly to deal with pkcs12 files with the KeyStore API.