Martin Probst's weblog

Installing/importing a root certificate in Java

Friday, March 14, 2008, 13:30 — 0 comments Edit

I just completed the nice exercise of installing a root certificate into a Java installation on a Debian server. Somebody I need to communicate with uses a certificate signed by a root CA ( that is apparently not included in the JVM 1.5.0_14 that ships with my Debian.

The only documentation I could find after lots of Googling is extremely verbose and obfuscated, so here comes the short hand version.

Basically you download their certificate, in this case here. Then you convert the certificate into the PEM format (whatever that is…), and install it into the system wide cacerts keystore. You’ll be asked for the password to that store, it is changeit (and please don’t change it!).

Oh and of course in between you perform extensive measures to make sure the certificate is valid, such as, well, … you can compare the fingerprint to the one on the webpage where you downloaded it, tremendously secure ;-)

# convert:
openssl x509 -in a-cert-globaltrust.crt -out a-cert-globaltrust.pem -outform PEM
# install, type "changeit" for the password
keytool -import -file a-cert-globaltrust.pem -keystore /etc/java-1.5.0-sun/security/cacerts

You might also want to install it for openssl clients, as documented here.

No comments.