Import a certificate to the Java Keystore

You will need to import a certificate to the Java Keystore if:

  • You are not using a SSL certificate that is signed by an authority trusted by Java.

    Use of a trusted certificate is preferred and recommended because using an untrusted certificate, such as a self-signed certificate, will cause web services communication to fail with the SSLHandshakeException error.

  • Before making the switch from Oracle JDK8 to OpenJDK 11.

The information is important only if you are not using a SSL certificate that is signed by an authority trusted by Java. Use of a trusted certificate is preferred and recommended because using an untrusted certificate, such as a self-signed certificate, will cause web services communication to fail with the SSLHandshakeException error. If you do opt to use an untrusted certificate, then you must import it into the Java keystore. The general import procedure is described below, followed by examples for Linux and Windows.

  1. Copy the default keystore $JDK_HOME/lib/security/cacerts as $JDK_HOME/lib/security/jssecacerts.

    This will leave the original cacerts file available as a backup. JSSE will use the jssecacerts file, if present, instead of cacerts. Jssecacerts needs to start as a copy of cacerts, which it overrides rather than extends.

  2. Import the certificate to the jssecacerts keystore using the following command, replacing variables as noted below:

    $JDK_HOME/bin/keytool -importcert -file $CERT -alias $ALIAS -keystore $JDK_HOME/lib/security/jssecacerts -storepass changeit

    1. Replace $JDK_HOME with your actual JDK home path.

    2. Replace $CERT with the path to your certificate the you previously installed to the system.

    3. Replace $ALIAS with the preferred alias to be used in the keystore.

    4. Note that changeit is the default password for Java's cacerts file. Check whether it has been changed on your system.

  3. When prompted, check the certificate and confirm that it should be trusted. The prompt to verify and confirm the certificate can be suppressed by adding option -noprompt.

Windows example:

The following command should be written as a single line. It must be run as Administrator. If the Java paths on your system contain spaces, they must be contained in a pair of double straight quotes, as shown.

"C:\Program Files\Java\jdk-11.0.1\bin\keytool" -importcert -file C:\Polarion\bundled\apache\conf\certificate.crt -alias labs.polarion.com -keystore "C:\Program Files\Java\jdk-11.0.1\lib\security\jssecacerts" -storepass changeit 

Linux Example (CentOS)

This example following command should be written as a single line:

/usr/java/jdk-11.0.1/bin/keytool -importcert -file /etc/pki/tls/certs/cert.pem -alias labs.polarion.com -keystore /usr/java/jdk-11.0.1/lib/security/jssecacerts -storepass changeit

Depending on your operating system and version, additional command parameters may be necessary.

(See https://www.cloudera.com to learn more.)

Keytool Commands

Here are some potentially useful keytool commands:

keytool -list -keystore %JAVA_HOME%\lib\security\jssecacerts -storepass changeit
keytool -delete -alias mykey -keystore %JAVA_HOME%\lib\security\jssecacerts -storepass changeit
keytool -importcert -help
keytool -help
How do I
Manually Update the bundled third-party software
Update Subversion
Update Apache

Look up more details
Update Java

Related topics
Import a certificate to the Java Keystore