I'm unsure why Java's keytool thinks my .p12 keystore is empty.

If I create a new self-signed cert and place it in a truststore.p12 pkcs12 keystore with openssl, like so:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -subj "/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=www.example.com" -sha256

# This prompts for a password, I used 'changeit'
openssl pkcs12 -export -out truststore.p12 -nokeys -in cert.pem

And then view the contents of truststore.p12 with:

openssl pkcs12 -in truststore.p12 -nodes

MAC verified OK
Bag Attributes: 
subject=/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=www.example.com
issuer=/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=www.example.com
-----BEGIN CERTIFICATE-----
MIIFszCCA5ugAwIBAgIJAPddgoNwHemLMA0GCSqGSIb3DQEBCwUAMHAxCzAJBgNV
BAYTAlVTMQ8wDQYDVQQIDAZPcmVnb24xETAPBgNVBAcMCFBvcnRsYW5kMRUwEwYD
VQQKDAxDb21wYW55IE5hbWUxDDAKBgNVBAsMA09yZzEYMBYGA1UEAwwPd3d3LmV4
YW1wbGUuY29tMB4XDTIxMDgyNDIyMzcwN1oXDTIyMDgyNDIyMzcwN1owcDELMAkG
A1UEBhMCVVMxDzANBgNVBAgMBk9yZWdvbjERMA8GA1UEBwwIUG9ydGxhbmQxFTAT
BgNVBAoMDENvbXBhbnkgTmFtZTEMMAoGA1UECwwDT3JnMRgwFgYDVQQDDA93d3cu
ZXhhbXBsZS5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCmx0XY
pkxMIPgq1GwgpBacHkKHz5R5tQD+uLBzKPa/mwHSwX2MQiHdnq5WIf3omx9AdsF1
gV56iNaHEVPp3WcW9BGkG3UrRuUBuWgGRuy2rEVpUQOFR+WziPbzG8Sq9ot9qQBP
d8sLLwfSj1JlN7sTLkco9mdvxvhYmPp4874qz2Okk3Madh3M94gWTPRdEmqcHDP8
cdETCmJOAw+NfLO962adssUz+ppRWFbG2+w44Xn2fkbgyfZ06CFz6WLfstVrEcvD
j82am0Ysp5+I9zzicvcCrchu5gPwWXS0zKDQsrsrgOXHvYhzOkrD+i3+89BWFyh0
DxGG8uOnnd8nWWiLD/nrQzQLqqXK+i/CvVS+7qr8GBWNgOC+x47rGp33+Oq50EFj
h2kj0gZC5zhhbtA+Y/magcSoFcH7cCj9k9RKeyZDJSHvlIMvkzMveyPAs2upApwx
lEBIq+0/M1/m+6eEbFz5ZxLa+zR21gdIjVo6PejzowzS6GB5yJSwXMvE/WZsb1c5
Ae5AMvssIE85A3NONm73lqV6HiBuQW3K92id6PiLLP+nMmDCVP3KneO+K5exPF53
KwIkC9YtThPsKxQywOztql08k9zVYKf86y0TfqxnHezGCpm9ZQb+f0Adj/NVw0yT
brXPCLCUpbIa1VlP2cYSJ5ZaNRGcE5GC5kDd4wIDAQABo1AwTjAdBgNVHQ4EFgQU
Ll1H2X+k+3uUe7kXEpGx1D/NY30wHwYDVR0jBBgwFoAULl1H2X+k+3uUe7kXEpGx
1D/NY30wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEApmlL3QxP0nD3
nVcphCRfAzjZW0UCrJXz7ldGqfTatR4gwSauU04mazvo5OBvnr6QYEtY8JhlDciX
cTdFYsR25Y52f6XvBgh/EHQ8l1PRJ4SlKcQU1JJxTW2sWRexPVqrCcLo3h18O67V
AZnIWLSlPth1nhbYoqWJJPgWqjDp0DIazIFwZSkK7BhJkXFlPhEsGmw0SeDuqVye
Tm6AcnW1ybrScw6aZgMlsARw80OVxvrHLyXW9kHPeInku5OvsCdBQNj8yR6uQykl
SN8yyBnFO6LVdLPTHrdyAC6VbJwXdajXSUEwx5y6so+9thIHx2Vk7OoHGAl62rzf
B6td3GPVVJpO/7Fm16IHq6V3hQznhiVj2wBqOzfApnxotJsWj80G7VofSPoD705F
iimNwHuvE7oJeYc4K/Uk3YJIkrxUoUkRp7z4pjvKUN+FEEB6gdquBTm9FJaTStNf
BRyzUiu3TMkZPWzDm8tJ79zhFj+BbOlbbivZGV/Bqy2j5y1Zc6XThWGGwRehgGmJ
qPuGAWvZ5b7N4dvArU58B+28F5F1Ka73nr29P9lKV1EOSBMs7vBjR9L1DBpvr/wl
sFU1LhITEJcOPAjHzVh/2ubH2UOHEDH+WH/QETS7oFORoTTZ5+bew2cfsIYniL3/
sKd4THRpAbJtWRAQOQceRDqdAUx6ZPA=
-----END CERTIFICATE-----

Everything looks good. But when I try to view same file with keytool:

keytool -list -v -keystore truststore.p12 -storepass changeit -storetype PKCS12

I get this from keytool:

Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 0 entries

Why?

For context, I am generating my own self-signed CA and issuing client & server certificates with it. I have some Java applications that need to consume my CA trust chain (via -Djavax.net.ssl.trustStore command-line args, but fail because I suspect keytool thinks it's empty).

Now, keytool WILL show privateKeyEntry if I include the corresponding private key of the cert. However, I'm creating a trust store (i.e. a CA Chain) and it shouldn't have any private keys in it; only public certificates.