Import CA Certificate for use by Java
I added a PEM formatted certificate to /etc/pki/ca-trust/source/anchors and ran "update-ca-trust", but the new certificate was not added to the /etc/pki/ca-trust/extract/java/cacerts file as I believe it should have been. Is there a special format the certificate has to have?
Thanks,
Allen
Responses
I'll have a look at our doco at work tomorrow to see if I can find some infor for you.
But the main reason for my post is to suggest you post this on a Java forum and/or on Stack Overflow. There'll be tons of people on there with specific java knowledge.
Ahh right. Thanks for the info.
I did find the doco at work, but it's using the keytool as you mention so I guess that's not of much help :-)
Good luck! Hopefully you can find the answer because it sounds useful for me too.
That said, it is probably still worth posting the question on https://serverfault.com/ and maybe CentOS forums given the lack of response here. They seem much more active and will likely have an answer for you.
You could go that route, see the /usr/bin/update-trust-ca
script and run the
java line (last one) by replacing the filter with --filter=certificates
i.e.:
/usr/bin/p11-kit extract \
--format=java-cacerts \
--filter=certificates \
--overwrite \
--purpose server-auth \
/etc/pki/ca-trust/extracted/java/cacerts
The reason why that's required is because the certificate is not a CA anchor
(i.e. root authority). Read man trust
for details. I guess the same logic
applies to explain why the script uses the ca-anchors
filter.
However, because of the hardcoded filter, I stole the idea from https://bugzilla.redhat.com/show_bug.cgi?id=1056224.
Basically I made a copy of cacerts
(e.g. /etc/pki/java/my-cacerts
) and
added my certificate via keytool
.
My use case was a Let's Encrypt certificate. I ended up doing this: https://bugzilla.redhat.com/show_bug.cgi?id=1485717#c3.
Basically your cert must be shown by trust list --filter=ca-anchors
. I'm guessing you could have just created a self signed CA cert and base your client certs on it.
Note: Most Java servers (jboss, websphere etc) use a dedicated java keystore for certs. So this solution will not work for those platforms...