Monday 26 October 2015

Java cacerts file

In this post, I am going to explain what is cacerts file, how to view the contents of cacerts file, how to import a certificate into cacerts.

What is cacerts file?
'cacerts' is a truststore, maintains collection of trusted certificate authority (CA) certificates. The default password for the cacerts file is changeit. You require the password to view the contents or to import a new certificate.

Cacerts file location
On windows, Linux cacerts file is located at <JAVA_HOME>/jre/lib/security/cacerts
On Mac, cacerts file is located at ‘/System/Library/Frameworks/JavaVM.framework/Home/lib/security/cacerts’.
$ ls -l /System/Library/Frameworks/JavaVM.framework/Home/lib/security/cacerts
lrwxr-xr-x  1 root  wheel  81 Mar 14  2014 /System/Library/Frameworks/JavaVM.framework/Home/lib/security/cacerts -> /System/Library/Java/Support/CoreDeploy.bundle/Contents/Home/lib/security/cacerts

List all certificates installed in cacerts file
‘keytool -list -keystore cacerts’ is used to get all the installed certificates. Enter the password as ‘changeit’.
$ keytool -list -keystore /System/Library/Frameworks/JavaVM.framework/Home/lib/security/cacerts
Enter keystore password:  

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 210 entries

keychainrootca-99, 28 Sep, 2013, trustedCertEntry, 
Certificate fingerprint (SHA1): 2F:17:3F:7D:E9:96:67:AF:A5:7A:F8:0A:A2:D1:B1:2F:AC:83:03:38
keychainrootca-98, 28 Sep, 2013, trustedCertEntry, 
Certificate fingerprint (SHA1): 75:E0:AB:B6:13:85:12:27:1C:04:F8:5F:DD:DE:38:E4:B7:24:2E:FE
keychainrootca-97, 28 Sep, 2013, trustedCertEntry, 
Certificate fingerprint (SHA1): 47:BE:AB:C9:22:EA:E8:0E:78:78:34:62:A7:9F:45:C2:54:FD:E6:8B
keychainrootca-96, 28 Sep, 2013, trustedCertEntry,
.......
.......
.......

Add new certificate into cacerts
Step 1: generate a certificate. Following command is used to generate a certificate.

keytool -genkey -alias mycertificate -keyalg RSA -keypass changeit -storepass changeit -keystore keystore.jks

Above command takes some basic information from you and generate keystore.jks file.

$ keytool -genkey -alias mycertificate -keyalg RSA -keypass changeit -storepass changeit -keystore keystore.jks
What is your first and last name?
  [Unknown]:  localhost
What is the name of your organizational unit?
  [Unknown]:  localhost
What is the name of your organization?
  [Unknown]:  abcdef
What is the name of your City or Locality?
  [Unknown]:  Bangalore
What is the name of your State or Province?
  [Unknown]:  Karnataka
What is the two-letter country code for this unit?
  [Unknown]:  IN
Is CN=localhost, OU=localhost, O=abcdef, L=Bangalore, ST=Karnataka, C=IN correct?
  [no]:  y


Step 2: Export the generated certificate from keystore.jks into the file server.cer. Following command is used to export the certificate into the file server.cer.

keytool -export -alias mycertificate -storepass changeit -file server.cer -keystore keystore.jks

$ keytool -export -alias mycertificate -storepass changeit -file server.cer -keystore keystore.jks
Certificate stored in file <server.cer>


Step 3: Run following keytool from the directory where you created the keystore and server certificate.

keytool -import -v -trustcacerts -alias mycertificate  -file server.cer -keystore cacerts.jks -keypass changeit -storepass changeit

# keytool -import -v -trustcacerts -alias mycertificate  -file server.cer -keystore /System/Library/Frameworks/JavaVM.framework/Home/lib/security/cacerts -keypass changeit -storepass changeit
Owner: CN=localhost, OU=localhost, O=abcdef, L=Bangalore, ST=Karnataka, C=IN
Issuer: CN=localhost, OU=localhost, O=abcdef, L=Bangalore, ST=Karnataka, C=IN
Serial number: 3a1b1e95
Valid from: Mon Oct 26 14:09:55 IST 2015 until: Sun Jan 24 14:09:55 IST 2016
Certificate fingerprints:
  MD5:  8A:00:81:ED:FE:EB:53:B1:9D:21:5A:59:50:35:78:5E
  SHA1: 5C:DB:99:33:8D:7A:AC:30:15:70:81:89:1F:9A:6B:0D:05:81:76:99
  SHA256: 31:DC:6F:9E:5E:D0:A6:2F:1F:91:B5:A7:DF:01:DD:04:73:EC:6A:E7:7C:A3:01:26:D3:60:22:3E:E5:08:5D:17
  Signature algorithm name: SHA256withRSA
  Version: 3

Extensions: 

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 50 37 39 54 AE E5 EE D3   6F BF 15 C4 23 4C A4 2E  P79T....o...#L..
0010: 43 B7 A7 0E                                        C...
]
]

Trust this certificate? [no]:  y
Certificate was added to keystore
[Storing /System/Library/Frameworks/JavaVM.framework/Home/lib/security/cacerts]


Use following command to verify, whether certificate is in cacerts or not.

# keytool -list -keystore /System/Library/Frameworks/JavaVM.framework/Home/lib/security/cacerts -alias mycertificate
Enter keystore password:  
mycertificate, 26 Oct, 2015, trustedCertEntry, 
Certificate fingerprint (SHA1): 5C:DB:99:33:8D:7A:AC:30:15:70:81:89:1F:9A:6B:0D:05:81:76:99








No comments:

Post a Comment