Sections

Personal tools

You are here: Home → Linux → Java → How to add a certificate authority (CA) certificate to the OpenJDK cacerts

Recent Changes: Intel Xeon-D x552/x557 10baseT fails to negiotiate a 10Gb link Aug 20, 2023; Images Aug 11, 2023; X10SDV-8C-TLN4F Aug 11, 2023; CPU Requirement for Rocky Linux v9 (And Redhat Enterprise Linux v9) Feb 24, 2023; Rocky Linux Feb 23, 2023; Images Jul 19, 2022; Rocky Jul 19, 2022; Runtime tweak of US-16-XG switch trunk for ESXi Apr 12, 2019; Ubiquiti US-16-XG 10GbE switch command line Apr 10, 2019; Flash Intel iSCSI NIC firmware Mar 04, 2019; Add a static route to a Netonix WS-6-MINI switch Nov 17, 2018; Install and configure Dovecot on CentOS 6 as an IMAP server Sep 06, 2018; All recent changes…

How to add a certificate authority (CA) certificate to the OpenJDK cacerts

OpenJDK on CentOS 5 stores it's root CA's in the file '/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/security/cacerts'. With the alternatives support it has a few aliases e.g. '/usr/lib/jvm/jre-openjdk/lib/security/cacerts'. The 'cacerts' java keystore has a passphrase of 'changeit'.

Convert

The public key certificates need to be in DER format (not PEM). Use openssl to convert the ca certificate if necessary:

$ openssl x509 -in my-ca.crt -inform pem -out my-ca.der -outform der

Display Information

The DER enocoded certificate can be displayed:

$ keytool -v -printcert -file my-ca.der

The cacerts keystore can be dumped to verify if a public key certificate is present (the passphrase is 'changeit'):

$ keytool -v -list -keystore \
    /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/security/cacerts

Import the certificate

# keytool -importcert -alias local-CA \
    -keystore /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/security/cacerts \
    -file my-ca.der

The password for the cacerts keystore is 'changeit'.