Personal tools
You are here: Home Linux Java How to add a certificate authority (CA) certificate to the OpenJDK cacerts

How to add a certificate authority (CA) certificate to the OpenJDK cacerts

OpenJDK on CentOS 5 stores it's root CA's in the file '/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/security/cacerts'. With the alternatives support it has a few aliases e.g. '/usr/lib/jvm/jre-openjdk/lib/security/cacerts'. The 'cacerts' java keystore has a passphrase of 'changeit'.

Convert

The public key certificates need to be in DER format (not PEM). Use openssl to convert the ca certificate if necessary:

$ openssl x509 -in my-ca.crt -inform pem -out my-ca.der -outform der

Display Information

The DER enocoded certificate can be displayed:

$ keytool -v -printcert -file my-ca.der

The cacerts keystore can be dumped to verify if a public key certificate is present (the passphrase is 'changeit'):

$ keytool -v -list -keystore \
    /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/security/cacerts 

Import the certificate

# keytool -importcert -alias local-CA \
    -keystore /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/security/cacerts \
    -file my-ca.der

The password for the cacerts keystore is 'changeit'.

Links

 

Document Actions