Import CA Certificate for use by Java
I added a PEM formatted certificate to /etc/pki/ca-trust/source/anchors and ran "update-ca-trust", but the new certificate was not added to the /etc/pki/ca-trust/extract/java/cacerts file as I believe it should have been. Is there a special format the certificate has to have?
Thanks,
Allen
Responses
I'll have a look at our doco at work tomorrow to see if I can find some infor for you.
But the main reason for my post is to suggest you post this on a Java forum and/or on Stack Overflow. There'll be tons of people on there with specific java knowledge.
Ahh right. Thanks for the info.
I did find the doco at work, but it's using the keytool as you mention so I guess that's not of much help :-)
Good luck! Hopefully you can find the answer because it sounds useful for me too.
That said, it is probably still worth posting the question on https://serverfault.com/ and maybe CentOS forums given the lack of response here. They seem much more active and will likely have an answer for you.
You could go that route, see the /usr/bin/update-trust-ca script and run the
java line (last one) by replacing the filter with --filter=certificates i.e.:
/usr/bin/p11-kit extract \
--format=java-cacerts \
--filter=certificates \
--overwrite \
--purpose server-auth \
/etc/pki/ca-trust/extracted/java/cacerts
The reason why that's required is because the certificate is not a CA anchor
(i.e. root authority). Read man trust for details. I guess the same logic
applies to explain why the script uses the ca-anchors filter.
However, because of the hardcoded filter, I stole the idea from https://bugzilla.redhat.com/show_bug.cgi?id=1056224.
Basically I made a copy of cacerts (e.g. /etc/pki/java/my-cacerts) and
added my certificate via keytool.
My use case was a Let's Encrypt certificate. I ended up doing this: https://bugzilla.redhat.com/show_bug.cgi?id=1485717#c3.
Basically your cert must be shown by trust list --filter=ca-anchors. I'm guessing you could have just created a self signed CA cert and base your client certs on it.
Note: Most Java servers (jboss, websphere etc) use a dedicated java keystore for certs. So this solution will not work for those platforms...
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
