Import CA Certificate for use by Java

Latest response

I added a PEM formatted certificate to /etc/pki/ca-trust/source/anchors and ran "update-ca-trust", but the new certificate was not added to the /etc/pki/ca-trust/extract/java/cacerts file as I believe it should have been. Is there a special format the certificate has to have?
Thanks,
Allen

Responses

I'll have a look at our doco at work tomorrow to see if I can find some infor for you.

But the main reason for my post is to suggest you post this on a Java forum and/or on Stack Overflow. There'll be tons of people on there with specific java knowledge.

Hi lokmac: Thanks for the suggestion. The problem is really in p11-kit (if it can be characterized as a problem and not just my failing to understand the requirements). It's supposed to add certificates in /etc/pki/ca-trust/source/anchors by running "p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth $DEST/java/cacerts"

If I use the java keytool program to add my certificate to the java cacerts file manually, it works OK. At least until the next time the system updates the java or ca-certificates RPMs and reruns update-ca-trust, at which point my certificate is removed from the cacerts file. This is problem I'm trying to cure.

Thanks!

Ahh right. Thanks for the info.

I did find the doco at work, but it's using the keytool as you mention so I guess that's not of much help :-)

Good luck! Hopefully you can find the answer because it sounds useful for me too.

That said, it is probably still worth posting the question on https://serverfault.com/ and maybe CentOS forums given the lack of response here. They seem much more active and will likely have an answer for you.

You could go that route, see the /usr/bin/update-trust-ca script and run the java line (last one) by replacing the filter with --filter=certificates i.e.:

/usr/bin/p11-kit extract \
    --format=java-cacerts \
    --filter=certificates \
    --overwrite \
    --purpose server-auth \
    /etc/pki/ca-trust/extracted/java/cacerts

The reason why that's required is because the certificate is not a CA anchor (i.e. root authority). Read man trust for details. I guess the same logic applies to explain why the script uses the ca-anchors filter.

However, because of the hardcoded filter, I stole the idea from https://bugzilla.redhat.com/show_bug.cgi?id=1056224.

Basically I made a copy of cacerts (e.g. /etc/pki/java/my-cacerts) and added my certificate via keytool.

Hi Vioral: Thanks for the pointer to the Bugzilla thread. That's exactly my issue.

I solved this with help from the P11-kit mailing list. They suggested:

trust anchor /path/to/<server name>.pem
emacs /etc/pki/ca-trust/source/<server name>.p11-kit
     change "certificate category: other-entry" to "certificate category: authority"
update-ca-trust

I guess this addresses your point about the certificate not being a CA anchor. Anyway, this scheme has withstood a couple of updates to java and an ca-certificates update; so, it seems to be working OK. Thanks for you help!

My use case was a Let's Encrypt certificate. I ended up doing this: https://bugzilla.redhat.com/show_bug.cgi?id=1485717#c3. Basically your cert must be shown by trust list --filter=ca-anchors. I'm guessing you could have just created a self signed CA cert and base your client certs on it.

Note: Most Java servers (jboss, websphere etc) use a dedicated java keystore for certs. So this solution will not work for those platforms...

For which vendor of JAVA is this thread intended to support? Oracle JAVA or openjdk?

It's OpenJDK on Red Hat Enterprise Linux (RHEL).