Run the following command and use the password from the step above and your keystore password: java -cp /path/to/jetty-6.1.7.jar \
You can download the necessary library (you’ll need the main jetty.jar) which can be a huge download for such a small thing, or just grab the jar from here. Here, I will be using a small utility that comes bundled with Jetty called PKCS12Import. Once that’s done, you need to convert the pkcs12 to a JKS. Remember to use a password for the command below, otherwise, the Jetty converter (the following step) will barf in your face! openssl pkcs12 -export -out cert.pkcs12 \ If we’re starting with PEM format, we need to convert the certificate and key to a PKCS12 file.
So, to save everyone else the trouble (and their hair!), I’m jotting down some notes here on how to convert a certificate and private key in PEM format into Java’s keystore and truststore in JKS format.
However, I did manage to solve it and ended up with much less hair. I remember doing this a few years back and there were molehillsmountains of issues to jump across and I did pull my hair out back then. Last night, I had to convert some PEM formatted certificates and private keys to JKS (was getting SSL nicely configured under Jetty). Try to do SSL client certificate authentication from ground up and you’ll know what I mean. However, Java’s crypto framework is just absolutely irritating to use – tons of unnecessary boiler plate, and not enough of self discovery of file formats (as an example). I remember using openssl as a library about 3-4 years ago in a project that was pretty crypto heavy and their library can be used by any junior developer – it’s that simple to use. You will now be able to make secure SSL/TLS connections to servers which haveĪ certificate signed by the CA which we just imported.If there is one irritating, arcane issue about Java, it is their SSL and Crypto framework. (name) with grep: keytool -keystore "$JAVA_HOME/jre/lib/security/cacerts" -storepass changeit -list | grep startssl To do that list the trust store content and filter for the certificate alias Verify that the root certificate has been imported The keytool will prompt you for confirmation, enter yes to complete the (the default password for the CA store is changeit) to /usr/lib/jvm/java-7-oracle įor -alias pick some unique name for the certificate in the store: keytool -importcert -alias startssl -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -file ca.der That points to your Java installation, e.g. Import the root certificate into the JVM trust storeĮnter the following command where $JAVA_HOME is a shell environment variable Validate the root certificate contentĮnsure that the Java keytool can parse the certificate and display its content: keytool -v -printcert -file ca.der openssl x509 -in ca.pem -inform pem -out ca.der -outform der Were able to obtain the root certificate in DER format, skip this step. Output, in DER format (which the Java keytool utility can understand). Original certificate filename in PEM format, and ca.der the filename to This can be done with help of the openssl toolkit, where ca.pem is the Convert the root certificate to DER format Public information and CAs always make them available for download. Obtain the root certificateįor StartCom the root certificate was made available at Instructions for importing a CA root certificate into the JVM trust store Step 1. Reason has not been included in the default JVM trust store. The root certificate of StartCom is recognised by browsers, but for some
We recently encountered such a case when a user of theĪble to connect to a web server which has a certificate issued by the StartComĬA. Trust, but is not listed in the default Java trust store, you will need to If your company has its own CA, or, if you want to make SSL/TLS connections toĪ server in possession of a certificate issued by a CA which you recognise and HTTPS or LDAPS) and the serverĭoesn't respond with a certificate issued by a recognised authority, theĬonnection will fail with the following exception: CertPathBuilderException: unable to find valid certification path to requested target If you try to make a secure connection (e.g. Validate a server's claimed identity (typically represented by its domain Time an SSL/TLS connection is made, that database is queried in order to Web browsers and application runtimes, such as Java, have a special local Blog » How to import a CA root certificate into the JVM trust store