Import CA Certificate for use by Java

Latest response

I added a PEM formatted certificate to /etc/pki/ca-trust/source/anchors and ran "update-ca-trust", but the new certificate was not added to the /etc/pki/ca-trust/extract/java/cacerts file as I believe it should have been. Is there a special format the certificate has to have?
Thanks,
Allen

AB
Log in to join the conversation

Responses

LM Community Member 60 points
3 May 2017 11:52 AM

I'll have a look at our doco at work tomorrow to see if I can find some infor for you.

But the main reason for my post is to suggest you post this on a Java forum and/or on Stack Overflow. There'll be tons of people on there with specific java knowledge.

AB Community Member 80 points
3 May 2017 4:44 PM

Hi lokmac: Thanks for the suggestion. The problem is really in p11-kit (if it can be characterized as a problem and not just my failing to understand the requirements). It's supposed to add certificates in /etc/pki/ca-trust/source/anchors by running "p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth $DEST/java/cacerts"

If I use the java keytool program to add my certificate to the java cacerts file manually, it works OK. At least until the next time the system updates the java or ca-certificates RPMs and reruns update-ca-trust, at which point my certificate is removed from the cacerts file. This is problem I'm trying to cure.

Thanks!

LM Community Member 60 points
4 May 2017 1:22 AM

Ahh right. Thanks for the info.

I did find the doco at work, but it's using the keytool as you mention so I guess that's not of much help :-)

Good luck! Hopefully you can find the answer because it sounds useful for me too.

That said, it is probably still worth posting the question on https://serverfault.com/ and maybe CentOS forums given the lack of response here. They seem much more active and will likely have an answer for you.

VT Community Member 60 points
28 September 2017 4:50 AM

You could go that route, see the /usr/bin/update-trust-ca script and run the java line (last one) by replacing the filter with --filter=certificates i.e.:

/usr/bin/p11-kit extract \
    --format=java-cacerts \
    --filter=certificates \
    --overwrite \
    --purpose server-auth \
    /etc/pki/ca-trust/extracted/java/cacerts

The reason why that's required is because the certificate is not a CA anchor (i.e. root authority). Read man trust for details. I guess the same logic applies to explain why the script uses the ca-anchors filter.

However, because of the hardcoded filter, I stole the idea from https://bugzilla.redhat.com/show_bug.cgi?id=1056224.

Basically I made a copy of cacerts (e.g. /etc/pki/java/my-cacerts) and added my certificate via keytool.

AB Community Member 80 points
28 September 2017 11:34 AM

Hi Vioral: Thanks for the pointer to the Bugzilla thread. That's exactly my issue.

I solved this with help from the P11-kit mailing list. They suggested:

trust anchor /path/to/<server name>.pem
emacs /etc/pki/ca-trust/source/<server name>.p11-kit
     change "certificate category: other-entry" to "certificate category: authority"
update-ca-trust

I guess this addresses your point about the certificate not being a CA anchor. Anyway, this scheme has withstood a couple of updates to java and an ca-certificates update; so, it seems to be working OK. Thanks for you help!

VT Community Member 60 points
28 September 2017 4:49 PM

My use case was a Let's Encrypt certificate. I ended up doing this: https://bugzilla.redhat.com/show_bug.cgi?id=1485717#c3. Basically your cert must be shown by trust list --filter=ca-anchors. I'm guessing you could have just created a self signed CA cert and base your client certs on it.

DO Community Member 28 points
5 September 2018 11:08 AM

Note: Most Java servers (jboss, websphere etc) use a dedicated java keystore for certs. So this solution will not work for those platforms...

Warron French's picture Active Contributor 109 points
2 October 2018 9:34 PM

For which vendor of JAVA is this thread intended to support? Oracle JAVA or openjdk?

CD Red Hat Active Contributor 227 points
9 July 2019 12:31 AM

It's OpenJDK on Red Hat Enterprise Linux (RHEL).