- How to properly import a selfsigned certificate into Java keystore that is available to all Java applications by default?
- 11 Answers 11
- Linux java default keystore
- Where is my Java keystore Linux?
- Where is the keystore file located?
- How do I access Java keystore?
- How do I access a keystore file?
- Where are Java certificates stored?
- How do I find my keystore details?
- Where to find JDK keytool?
- Is there a default password for the keystore?
- What is difference between Keystore and truststore?
How to properly import a selfsigned certificate into Java keystore that is available to all Java applications by default?
I wouldn’t necessarily rely on that code. Things like Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider()) are completely unnecessary in the first part. The second doesn’t do any cert verification. Try with a plain URLConnection to start with. Are you sure you’ve modified cacerts in lib/security of your JRE installation? Have you tried the trustmanager debugging option?
11 Answers 11
On Windows the easiest way is to use the program portecle.
- Download and install portecle.
- First make 100% sure you know which JRE or JDK is being used to run your program. On a 64 bit Windows 7 there could be quite a few JREs. Process Explorer can help you with this or you can use: System.out.println(System.getProperty(«java.home»));
- Copy the file JAVA_HOME\lib\security\cacerts to another folder.
- In Portecle click File > Open Keystore File
- Select the cacerts file
- Enter this password: changeit
- Click Tools > Import Trusted Certificate
- Browse for the file mycertificate.pem
- Click Import
- Click OK for the warning about the trust path.
- Click OK when it displays the details about the certificate.
- Click Yes to accept the certificate as trusted.
- When it asks for an alias click OK and click OK again when it says it has imported the certificate.
- Click save. Don’t forget this or the change is discarded.
- Copy the file cacerts back where you found it.
You can download the SSL certificate from a web server that is already using it like this:
$ echo -n | openssl s_client -connect www.example.com:443 | \ sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/examplecert.crt Optionally verify the certificate information:
$ openssl x509 -in /tmp/examplecert.crt -text Import the certificate into the Java cacerts keystore:
$ keytool -import -trustcacerts -keystore /opt/java/jre/lib/security/cacerts \ -storepass changeit -noprompt -alias mycert -file /tmp/examplecert.crt This worked, but my java was in a different location. My keystore was located at /usr/lib/jvm/java-openjdk/jre/lib/security/cacerts which I found by running ps -ef | grep java which told me my java was running from openjdk located at /usr/lib/jvm/java-openjdk/bin/java. Also, if this if for a webapp remember to restart. Thanks for the help!!
I haven’t used portecle, but I found that Keystore Explorer works pretty well for Windows, Linux, (and it should work on OSX as well)
D:\Java\jdk1.5.0_10\bin\keytool -import -file "D:\Certificates\SDS services\Dev\dev-sdsservices-was8.infavig.com.cer" -keystore "D:\Java\jdk1.5.0_10\jre\lib\security\cacerts" -alias "sds certificate" At least in java 11 (sapmachine jre) the syntax changed slightly according to the manfile: keytool.exe -importcert -file
I ended up writing a small script that adds the certificates to the keystores, so it is much easier to use.
#!/bin/bash # version 1.0 # https://github.com/ssbarnea/keytool-trust REMHOST=$1 REMPORT=$ KEYSTORE_PASS=changeit KEYTOOL="sudo keytool" # /etc/java-6-sun/security/cacerts for CACERTS in /usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts \ /usr/lib/jvm/java-7-oracle/jre/lib/security/cacerts \ "/System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home/lib/security/cacerts" \ "/Applications/Xcode.app/Contents/Applications/Application Loader.app/Contents/MacOS/itms/java/lib/security/cacerts" do if [ -e "$CACERTS" ] then echo --- Adding certs to $CACERTS # FYI: the default keystore is located in ~/.keystore if [ -z "$REMHOST" ] then echo "ERROR: Please specify the server name to import the certificatin from, eventually followed by the port number, if other than 443." exit 1 fi set -e rm -f $REMHOST:$REMPORT.pem if openssl s_client -connect $REMHOST:$REMPORT 1>/tmp/keytool_stdout 2>/tmp/output /tmp/$REMHOST:$REMPORT.pem then : else echo "ERROR: Unable to extract the certificate from $REMHOST:$REMPORT ($?)" cat /tmp/output fi if $KEYTOOL -list -storepass $ -alias $REMHOST:$REMPORT >/dev/null then echo "Key of $REMHOST already found, skipping it." else $KEYTOOL -import -trustcacerts -noprompt -storepass $ -alias $REMHOST:$REMPORT -file /tmp/$REMHOST:$REMPORT.pem fi if $KEYTOOL -list -storepass $ -alias $REMHOST:$REMPORT -keystore "$CACERTS" >/dev/null then echo "Key of $REMHOST already found in cacerts, skipping it." else $KEYTOOL -import -trustcacerts -noprompt -keystore "$CACERTS" -storepass $ -alias $REMHOST:$REMPORT -file /tmp/$REMHOST:$REMPORT.pem fi fi done Linux java default keystore
Most Java applications use the keystore that is supplied with JDK to store cryptographic keys, X.509 certificate chain information, and trusted certificates. The default JDK keystore in Oracle Linux is the /etc/pki/java/cacerts file. You can use the keytool command to generate self-signed certificates and install and manage certificates in the keystore. Note that the keytool command syntax has changed in Java SE 6. The examples that are provided in this chapter apply to this version of the keytool command.
The following examples show how you might use the keytool command.
List the contents of the keystore, /etc/pki/java/cacerts :
sudo keytool -list [-v] -keystore /etc/pki/java/cacerts
The default keystore password is changeit . If specified, the verbose option -v displays detailed information.
Change the password for a keystore, for example, /etc/pki/java/cacerts :
sudo keytool -storepasswd -keystore /etc/pki/java/cacerts
The following example shows how you would create a new keystore ( keystore.jks ) to manage your public/private key pairs and certificates from entities that you trust, generate a public/private key pair by using the RSA algorithm and a key length of 1024 bits, and then create a self-signed certificate that includes the public key and the specified distinguished name information:
sudo keytool -genkeypair -alias mycert -keyalg RSA -keysize 1024 \ -dname "CN=www.unserdom.com, OU=Eng, O=Unser Dom Corp, C=US, ST=Ca, L=Sunnydale" \ -alias engineering -keypass pkpassword -keystore keystore.jks \ -storepass storepassword -validity 100
where pkpassword is the private key password and storepassword is the keystore password. In this example, the certificate is valid for 100 days and is associated with the private key in a keystore entry that has the alias engineering .
Print the contents of a certificate file in a human-readable form:
sudo keytool -printcert [-v] -file cert.cer
If specified, the verbose option -v displays detailed information.
Generate a CSR in the file carequest.csr for submission to a CA:
sudo keytool -certreq -file carequest.csr
The CA signs and returns a certificate or a certificate chain that authenticates your public key.
Import the root certificate or certificate chain for the CA from the ACME.cer file into the keystore.jks keystore and assign it the alias acmeca :
sudo keytool -importcert -alias acmeca [-trustcacerts] -file ACME.cer \ -keystore keystore.jks -storepass storepassword If specified, the -trustcacerts option instructs keytool to add the certificate only if it can validate the chain of trust against the existing root CA certificates in the cacerts keystore. Alternatively, you can use the keytool -printcert command to check that the certificate’s fingerprint matches the fingerprint that the CA publishes.
Import the signed certificate for your organization after you have received it from the CA:
sudo keytool -importcert -v -trustcacerts -alias acmeca -file ACMEdom.cer \ -keystore keystore.jks -storepass storepassword In this example, the file containing the certificate is ACMEdom.cer . The -alias option specifies the entry for the first entity in the CA’s root certificate chain. The signed certificate is added to the front of the chain and becomes the entity that is addressed by the alias name.
Delete the certificate with the alias aliasname from the keystore.jks keystore:
sudo keytool -delete -alias aliasname -keystore keystore.jks -storepass storepassword
Export the certificate with the alias aliasname as a binary PKCS7 format file, which includes the supporting certificate chain as well as the issued certificate:
sudo keytool -exportcert -noprompt -alias aliasname -file output.p7b \ -keystore keystore.jks -storepass storepassword
Export the certificate with the alias aliasname as a base64 encoded text file (also referred to as PEM or RFC 1421).
sudo keytool -exportcert -noprompt -rfc -alias aliasname -file output.pem \ -keystore keystore.jks -storepass storepassword
For a certificate chain, the file includes only the first certificate in the chain, which authenticates the public key of the aliased entity.
For more information, see the keytool(1) manual page.
Where is my Java keystore Linux?
The default JDK keystore on Oracle Linux is the file /etc/pki/java/cacerts . You can use the keytool command to generate self-signed certificates and to install and manage certificates in the keystore.
Where is the keystore file located?
The default location is /Users//. android/debug. keystore. if you don’t find there on keystore file then you could try another one step II which have mentioned it step II.
How do I access Java keystore?
You can get the keys of a Java KeyStore instance via its getEntry() method. A KeyStore entry is mapped to an alias which identifies the key, and is protected with a key password. Thus, to access a key you must pass the key alias and password to the getEntry() method.
How do I find my Java keystore?
To view the Java keystore, use the keytool command with the -list option, for example:
- On a Windows system, at the prompt, type: keytool -list -keystore “c:\Program Files (x86)\Java\jre\lib\security\cacerts.
- On a Linux system, at the prompt, type: keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts.
How do I access Java Keystore?
How do I access a keystore file?
The “View & Send” tab will appear, click “Keystore File”. Click “SELECT WALLET FILE” and navigate to your keystore file. Enter the password used to encrypt the file when the wallet was made. If you printed out your wallet, check to be sure the circles match.
Where are Java certificates stored?
Java certificates are stored in a file called cacerts located at C:\Program Files (x86)\Java\jre1.
How do I find my keystore details?
Java Keytool Commands for Checking
- Check a stand-alone certificate keytool -printcert -v -file mydomain.crt.
- Check which certificates are in a Java keystore keytool -list -v -keystore keystore.jks.
- Check a particular keystore entry using an alias keytool -list -v -keystore keystore.jks -alias mydomain.
How do I find the keystore file in Linux?
- I think you can run the following command to list the content of your keystore file.
- keytool -v -list -keystore .keystore.
- If you are looking for a specific alias, you can also specify it in the command:
- keytool -list -keystore .keystore -alias foo.
- If the alias is not found, it will display an exception:
Which keystore type is good for Java?
Where to find JDK keytool?
If you have Java installed on your Windows computer, you can find it using these suggestions: Try to find the folder “C:\\Program Files\\Java\\jre7\\bin”. Scroll down in the file list, you should see “keytool.exe” displayed. If not found, try the other folder like: “C:\\Program Files\\Java\\jdk1.7.0_05\\bin”, if JDK is installed without JRE. Once located, start a command line window by entering “cmd.exe” after clicking the Windows “Start” button.