Add a Certificate Authority Root Certificate to the Key Store
Use the following steps to add a Certificate Authority (CA) root certificate to the key store to access an https site that isn’t already trusted.
Note: Need to perform as root or use sudo to have permissions to change a key store.
Using a browser, open the URL for a site that is not trusted and get the certificate information. Using the browser, export the certificate to a file that can be used for the import in the steps below.
List the Trusted CA’s
Mac
First, locate or determine the setting for java_home. This is the location of java on a system.
/usr/libexec/java_home
keytool -list -keystore `/usr/libexec/java_home`/jre/lib/security/cacerts
keytool -list -keystore <cacerts>
Windows
"C:\Program Files\Java\jre7\bin\keytool" -list -keystore "C:\Program Files\Java\jre7\lib\security\cacerts"
Add a New CA Certificate
Mac
sudo keytool -keystore `/usr/libexec/java_home`/jre/lib/security/cacerts -importcert -alias api-dev -file api-dev-netapp-cert.pem
When prompted for password, give sudo password, then the password for keystore.
Note: The default keystore password is changeit.
When prompted to confirm trusting of the certificate, say Yes.
You should always confirm with your certificate authority or the company you purchased the certificate from to ensure you are adding the correct certificate. Doing this incorrectly or with an insecure certificate can create a security risk for your system.
Obtaining an Example Certificate
Use this example to get a certificate and install. It creates a certificate file using openssl to get a sample certificate from example.com.
Note: example.com is an IANA managed site for use as an example in documentation.
openssl x509 -in <(openssl s_client -connect example.com:443 -prexit 2>/dev/null) -out ~/example.crt
sudo keytool -importcert -file ~/example.crt -alias example -keystore $(/usr/libexec/java_home)/jre/lib/security/cacerts -storepass changeit
Windows
From the start menu, open a command window by right clicking to launch and choose “run as administrator”.
"C:\Program Files\Java\jre7\bin\keytool" -keystore "C:\Program Files\Java\jre7\lib\security\cacerts" -importcert -alias symantecca -file api-dev-netapp-cert.pem
Additional Information for Adding a Certificate
Use this syntax to import a certificate without first listing the certificate.
sudo keytool -import -noprompt -trustcacerts -alias symantec -file api-dev-netapp-cert.pem -keystore `/usr/libexec/java_home`/jre/lib/security/cacerts -storepass changeit
Reference
Example of Adding a Certificate on a Mac
mb-mba3:NCbrowse2 mikeb$ sudo keytool -keystore /Library/Java/JavaVirtualMachines/jdk1.7.0_25.jdk/Contents/Home/jre/lib/security/cacerts -importcert -alias symantecca -file api-dev-netapp-cert.pem
Password:
Enter keystore password:
Owner: CN=api-dev.connect.netapp.com, OU=IT1, O=NetApp, L=Sunnyvale, ST=California, C=US
Issuer: CN=Symantec Class 3 Secure Server CA - G4, OU=Symantec Trust Network, O=Symantec Corporation, C=US
Serial number: 31e469a6c7f8e74170ae79c4d3f8f1c5
Valid from: Wed May 07 20:00:00 EDT 2014 until: Sat May 07 19:59:59 EDT 2016
Certificate fingerprints:
MD5: 69:16:10:36:BE:19:C4:7E:05:8A:48:C6:E6:4B:59:5C
SHA1: D4:C7:D9:26:64:E8:40:2A:1E:B3:BE:8B:02:93:A7:99:73:A1:5E:25
SHA256: 68:99:79:51:ED:AE:EB:FE:66:4C:D3:1F:B7:0F:64:90:81:31:02:B4:03:1A:49:9B:81:AA:72:4C:4F:44:8D:33
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://ss.symcd.com
,
accessMethod: caIssuers
accessLocation: URIName: http://ss.symcb.com/ss.crt
]
]
#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 5F 60 CF 61 90 55 DF 84 43 14 8A 60 2A B2 F5 7A _`.a.U..C..`*..z
0010: F4 43 18 EF .C..
]
]
#3: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://ss.symcb.com/ss.crl]
]]
#5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.113733.1.7.54]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 17 68 74 74 70 73 3A 2F 2F 64 2E 73 79 6D 63 ..https://d.symc
0010: 62 2E 63 6F 6D 2F 63 70 73 b.com/cps
], PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.2
qualifier: 0000: 30 19 1A 17 68 74 74 70 73 3A 2F 2F 64 2E 73 79 0...https://d.sy
0010: 6D 63 62 2E 63 6F 6D 2F 72 70 61 mcb.com/rpa
]] ]
]
#6: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
#7: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
#8: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: api-dev.connect.netapp.com
]
Trust this certificate? [no]: yes
Certificate was added to keystore
mb-mba3:NCbrowse2 mikeb$
Example of Adding a Certificate on Windows 7
C:\Windows\system32>cd \
C:\>"C:\Program Files\Java\jre7\bin\keytool" -keystore "C:\Program Files\Java\jr
e7\lib\security\cacerts" -importcert -alias symantecca -file api-dev-netapp-cert
.pem
Enter keystore password:
Owner: CN=api-dev.connect.netapp.com, OU=IT1, O=NetApp, L=Sunnyvale, ST=Californ
ia, C=US
Issuer: CN=Symantec Class 3 Secure Server CA - G4, OU=Symantec Trust Network, O=
Symantec Corporation, C=US
Serial number: 31e469a6c7f8e74170ae79c4d3f8f1c5
Valid from: Wed May 07 20:00:00 EDT 2014 until: Sat May 07 19:59:59 EDT 2016
Certificate fingerprints:
MD5: 69:16:10:36:BE:19:C4:7E:05:8A:48:C6:E6:4B:59:5C
SHA1: D4:C7:D9:26:64:E8:40:2A:1E:B3:BE:8B:02:93:A7:99:73:A1:5E:25
SHA256: 68:99:79:51:ED:AE:EB:FE:66:4C:D3:1F:B7:0F:64:90:81:31:02:B4:03:
1A:49:9B:81:AA:72:4C:4F:44:8D:33
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://ss.symcd.com
,
accessMethod: caIssuers
accessLocation: URIName: http://ss.symcb.com/ss.crt
]
]
#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 5F 60 CF 61 90 55 DF 84 43 14 8A 60 2A B2 F5 7A _`.a.U..C..`*..z
0010: F4 43 18 EF .C..
]
]
#3: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://ss.symcb.com/ss.crl]
]]
#5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.113733.1.7.54]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 17 68 74 74 70 73 3A 2F 2F 64 2E 73 79 6D 63 ..https://
d.symc
0010: 62 2E 63 6F 6D 2F 63 70 73 b.com/cps
], PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.2
qualifier: 0000: 30 19 1A 17 68 74 74 70 73 3A 2F 2F 64 2E 73 79 0...https:
//d.sy
0010: 6D 63 62 2E 63 6F 6D 2F 72 70 61 mcb.com/rpa
]] ]
]
#6: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
#7: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
#8: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: api-dev.connect.netapp.com
]
Trust this certificate? [no]: yes
Certificate was added to keystore
C:\>