Installing/importing a root certificate in Java
I just completed the nice exercise of installing a root certificate into a Java installation on a Debian server. Somebody I need to communicate with uses a certificate signed by a root CA (a-cert.at) that is apparently not included in the JVM 1.5.0_14 that ships with my Debian.
The only documentation I could find after lots of Googling is extremely verbose and obfuscated, so here comes the short hand version.
Basically you download their certificate, in this case here. Then you convert the certificate into the PEM format (whatever that is…), and install it into the system wide cacerts keystore. You’ll be asked for the password to that store, it is changeit (and please don’t change it!).
Oh and of course in between you perform extensive measures to make sure the certificate is valid, such as, well, … you can compare the fingerprint to the one on the webpage where you downloaded it, tremendously secure ;-)
# convert: openssl x509 -in a-cert-globaltrust.crt -out a-cert-globaltrust.pem -outform PEM # install, type "changeit" for the password keytool -import -file a-cert-globaltrust.pem -keystore /etc/java-1.5.0-sun/security/cacerts
You might also want to install it for openssl clients, as documented here.