A possible explanation for this behaviour:
The standard PKCS#12 provider up to Java 7 did not allow trusted
certificate entries at all. The JSSE Reference Guide says this:Storing trusted certificates in a PKCS12 keystore is not supported.
PKCS12 is mainly used to deliver private keys with the associated
certificate chains. It does not have any notion of “trusted”
certificates. In terms of interoperability, other PKCS12 vendors have
the same restriction. Browsers such as Mozilla and Internet Explorer
do not accept a PKCS12 file with only trusted certificates.This has changed a bit in Java 8, which supports trusted certificates
in PKCS#12 – if they are marked with a special attribute (OID
2.16.840.1.113894.746875.1.1):openssl pkcs12 -in microsoft.p12 -info MAC Iteration 1024 MAC verified OK PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 1024 Certificate bag Bag Attributes friendlyName: microsoft it ssl sha2 (baltimore cybertrust root) 2.16.840.1.113894.746875.1.1: <Unsupported tag 6>
Source: