Importing an SSL CA Certificate Into a Java Keystore

This document describes how to install a CA certificate into a Java keystore. This may needed for applications that are executed on a client computer using Java Web Start, especially for applications that rely on older versions of Java. One such example is SunGard Higher Education's Banner Workflow product, which uses Java 1.4.2. Another example is the CampusEAI portal, which must have its cacerts keystore updated on the Oracle Application Server.

Each client has its own keystore for CA certificates, located in the <Java Root>/lib/security/cacerts file (for example, it may be c:\program files\java\j2re1.4.2_12\lib\security on a Windows client, if the user accepted the defaults when installing the software). The keystore should only contain CA certificates, not server certificates. Because this process can be rather intimidating, it may be advisable to maintain a common cacerts file and to distribute it to clients as needed.

The import process must be performed on a server with the target version of Java and with OpenSSL installed. The process is described below:

  1. Change your working directory to the <Java Root>/lib/security directory.

  2. Obtain the CA root and intermediate certificates, and save them as separate files in PEM format in this same directory.

  3. Issue the command ../../bin/keytool -import -trustcacerts -alias alias -file certfile -keystore cacerts, where:

    1. alias is a unique name for the certificate you are storing. It is one word and should describe the certificate; for example, globalsignrootca. If you are not sure what aliases are already being used, you can list them with the command ../../bin/keytool -list -keystore cacerts.

    2. certfile is the filename of the certificate you are storing.

  4. You will be prompted for the keystore password. As delivered by Sun, the password is usually "changeit" or "default".

  5. Repeat the above steps for both the root and the intermediate CA certificate files.
  6. If another user needs to use the updated keystore, copy the cacerts file to their <Java Root>/lib/security directory (or have the user copy it).

TSSHowTo