I've always known that keytool is a very limited program. But right now I'm once again amazed about how few things that are actually doable in it.
I've spent some time this weekend debugging our (that is, KI's) setup of a system called CWAA (common web authentication architecture). It can be found here. It's based on the idea of using certificates so that one university can guarantee the identity of an entity to another university. In our case it's used to make it possible for KI students to login to the wireless network services at Stockholm University, with their KI identity.
As it is certificate expiry time, there was some work to be done. No problem, I thought. I proceeded to update KI's CWAA certificate and add it to the correct places. It should be noted that we use PKCS12 keystores. As I looked inside the old p12-file, I couldn't find any other cert that should be updated, so I went ahead and tried the installation. No luck. After much time I noticed that when using openssl to view the p12 file, it contained more certificates than keytool showed. It turns out that keytool can only view ONE entry in a PKCS12 keystore, and can't edit it at all. This limitation was not known to me until now. Once I found this out it was easy to update the rest of the certificates and everything is working.
But right now I'm strongly considering either finding a better keytool (maybe bouncycastle have a client program?) or writing myself a new one. Apparently the JDK version is unusable for all professional use.