Currently SYM_ENCRYPT accepts only keystores of type JCEKS. Other types such as JKS or PKCS12 are not permitted.
Solution: add an attribute keystore_type to SYM_ENCRYPT, which will allow for other keystore types to be used.
E.g. keystore_type="PKCS12" means that an external certificate generated by openssl will be usable.