In this post, I am going to explain what
is cacerts file, how to view the contents of cacerts file, how to import a
certificate into cacerts.
What is cacerts file?
'cacerts' is a truststore, maintains
collection of trusted certificate authority (CA) certificates. The default
password for the cacerts file is changeit. You require the password to view the
contents or to import a new certificate.
Cacerts file location
On windows,
Linux cacerts file is located at <JAVA_HOME>/jre/lib/security/cacerts
On Mac,
cacerts file is located at ‘/System/Library/Frameworks/JavaVM.framework/Home/lib/security/cacerts’.
$ ls -l /System/Library/Frameworks/JavaVM.framework/Home/lib/security/cacerts lrwxr-xr-x 1 root wheel 81 Mar 14 2014 /System/Library/Frameworks/JavaVM.framework/Home/lib/security/cacerts -> /System/Library/Java/Support/CoreDeploy.bundle/Contents/Home/lib/security/cacerts
List all certificates installed in cacerts file
‘keytool -list -keystore cacerts’ is used to get all the installed certificates. Enter the password as ‘changeit’.
$ keytool -list -keystore /System/Library/Frameworks/JavaVM.framework/Home/lib/security/cacerts Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 210 entries keychainrootca-99, 28 Sep, 2013, trustedCertEntry, Certificate fingerprint (SHA1): 2F:17:3F:7D:E9:96:67:AF:A5:7A:F8:0A:A2:D1:B1:2F:AC:83:03:38 keychainrootca-98, 28 Sep, 2013, trustedCertEntry, Certificate fingerprint (SHA1): 75:E0:AB:B6:13:85:12:27:1C:04:F8:5F:DD:DE:38:E4:B7:24:2E:FE keychainrootca-97, 28 Sep, 2013, trustedCertEntry, Certificate fingerprint (SHA1): 47:BE:AB:C9:22:EA:E8:0E:78:78:34:62:A7:9F:45:C2:54:FD:E6:8B keychainrootca-96, 28 Sep, 2013, trustedCertEntry, ....... ....... .......
Add new certificate into cacerts
Step 1: generate a certificate. Following command is used
to generate a certificate.
keytool
-genkey -alias mycertificate -keyalg RSA -keypass changeit -storepass changeit
-keystore keystore.jks
Above
command takes some basic information from you and generate keystore.jks file.
$ keytool -genkey -alias mycertificate -keyalg RSA -keypass changeit -storepass changeit -keystore keystore.jks What is your first and last name? [Unknown]: localhost What is the name of your organizational unit? [Unknown]: localhost What is the name of your organization? [Unknown]: abcdef What is the name of your City or Locality? [Unknown]: Bangalore What is the name of your State or Province? [Unknown]: Karnataka What is the two-letter country code for this unit? [Unknown]: IN Is CN=localhost, OU=localhost, O=abcdef, L=Bangalore, ST=Karnataka, C=IN correct? [no]: y
Step 2: Export the generated certificate from keystore.jks
into the file server.cer. Following command is used to export the certificate
into the file server.cer.
keytool
-export -alias mycertificate -storepass changeit -file server.cer -keystore
keystore.jks
$ keytool -export -alias mycertificate -storepass changeit -file server.cer -keystore keystore.jks Certificate stored in file <server.cer>
Step 3: Run following keytool from the directory where you
created the keystore and server certificate.
keytool
-import -v -trustcacerts -alias mycertificate
-file server.cer -keystore cacerts.jks -keypass changeit -storepass
changeit
# keytool -import -v -trustcacerts -alias mycertificate -file server.cer -keystore /System/Library/Frameworks/JavaVM.framework/Home/lib/security/cacerts -keypass changeit -storepass changeit Owner: CN=localhost, OU=localhost, O=abcdef, L=Bangalore, ST=Karnataka, C=IN Issuer: CN=localhost, OU=localhost, O=abcdef, L=Bangalore, ST=Karnataka, C=IN Serial number: 3a1b1e95 Valid from: Mon Oct 26 14:09:55 IST 2015 until: Sun Jan 24 14:09:55 IST 2016 Certificate fingerprints: MD5: 8A:00:81:ED:FE:EB:53:B1:9D:21:5A:59:50:35:78:5E SHA1: 5C:DB:99:33:8D:7A:AC:30:15:70:81:89:1F:9A:6B:0D:05:81:76:99 SHA256: 31:DC:6F:9E:5E:D0:A6:2F:1F:91:B5:A7:DF:01:DD:04:73:EC:6A:E7:7C:A3:01:26:D3:60:22:3E:E5:08:5D:17 Signature algorithm name: SHA256withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 50 37 39 54 AE E5 EE D3 6F BF 15 C4 23 4C A4 2E P79T....o...#L.. 0010: 43 B7 A7 0E C... ] ] Trust this certificate? [no]: y Certificate was added to keystore [Storing /System/Library/Frameworks/JavaVM.framework/Home/lib/security/cacerts]
Use
following command to verify, whether certificate is in cacerts or not.
# keytool -list -keystore /System/Library/Frameworks/JavaVM.framework/Home/lib/security/cacerts -alias mycertificate Enter keystore password: mycertificate, 26 Oct, 2015, trustedCertEntry, Certificate fingerprint (SHA1): 5C:DB:99:33:8D:7A:AC:30:15:70:81:89:1F:9A:6B:0D:05:81:76:99
No comments:
Post a Comment