Skip to main content Skip to navigation

Keystores

Where using the "keytool" command, you should make sure that you're using the Sun version and not the GNU version. If in doubt, use /usr/local/java/bin/keytool directly. 

Viewing the contents of a keystore file: 

keytool -keystore mystore.keystore -list -storepass password

Viewing the contents in more detail: 

keytool -keystore mystore.keystore -list -v -storepass password

I want my Java application to trust a server

If the certificate you are trying to trust is for an "intermediate CA", that is a CA who issued your certificate but isn't a root, then you shouldn't do this. The problem is with the other server not being configured correctly. If the other server is configured correctly it will send the details of its intermediate CA (sending the whole "certificate chain") and your application should trust it by seeing the connection to one of the existing trusted roots. Get in touch with the owner of the other server, and use the server connect command on the OpenSSL page to check that the server is sending the intermediate certificate.

This is usually only necessary when working with test servers that are self-signed or signed by an untrusted CA; a production server should have a certificate that's already trusted. The certificate you want to trust will either be an intermediate CA or for some other root that isn't in any default trust list. You should start off with a certificate file in DER. The file and alias should be of your choosing (alias shouldn't matter but should be unique within the keystore).

keytool -keystore /etc/cacerts -storepass changeit -import -file ROOTCERT.PEM -alias rootcertca

If you know what the server is but don't have a certificate for it as a file, you can use this openssl command to grab it:

openssl s_client -connect yourserver.example.com:443  -showcerts

In the output will be PEM versions of any certificates presented. You can just copy and paste the one corresponding to the certificate into a new file (ending .pem by convention).This is now a regular PEM certificate.

Rather than modify the system-wide cacerts file, it’s better to add certificates to a copy of cacerts and use that for the specific application that needs it, so that you don’t accidentally affect other Java applications. Use the system property javax.net.ssl.trustStore when starting up your application server.