wood burning stoves 2.0*
The moose likes Security and the fly likes How do I import a self-signed certificate using keytool? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "How do I import a self-signed certificate using keytool? " Watch "How do I import a self-signed certificate using keytool? " New topic
Author

How do I import a self-signed certificate using keytool?

Vartan Piroumian
Greenhorn

Joined: Jun 20, 2008
Posts: 2
Hi folks,

I am trying to test a simple Java desktop application that just opens a URL connection via HTTPS using the URL class and passing a "https://...." URL). I need to connect to one of our internal servers for this test.

Our server guys created a self-signed certificate (*.cer file) and gave it to me.

Do I import the *.cer file into my JRE's cacerts file?
Should I import it into a different place (a trust store)?
How do I import it?

What is the difference between a keystore and a trust store? Do they both contain public key certificates?

I'm not sure I understand the -trustcacerts option on keytool.

Many thanks in advance.

Vartan
Vartan Piroumian
Greenhorn

Joined: Jun 20, 2008
Posts: 2
Hello again everyone,

I forgot to say in my original post...

From my reading I think I need a trust store (not a key store). I think I should import the *.cer file (the certificate I was given) into a trust store.

How do I create a trust store and how do I import the *.cer file into it?
Then, how/where do I deploy that to my JRE?

I guess I run keytool with the "correct" arguments. What file does it produce?
What do I do with that file? Do I just copy it to my $JAVA_HOME/jre/lib/security directory?

Many thanks again.

Vartan
Santhosh Kumar
Ranch Hand

Joined: Nov 07, 2000
Posts: 242
File format/content point of view, there absolutely no difference between KeyStore and TrustStore because it is actually a KeyStore you would be marking as TrustStore for Java Security library to use.

This is how the SSL certificates and Java applications work.

1. When you connect to a SSL server, java application asks the server to send its certificate

2. Client checks if the certificate is valid (like signature, validity date etc)

3. If step 2 validates successfully, java client validate if the issuer of the certificate can be trusted. This is where the trust store comes into picture. Java, by default, goes to <jre>/lib/security/cacerts file to see if the issuer can be accepted. If the (last) issuer is not found in that trust store, it throws exception.

4. In theory, to test your ssl application in test mode, you can add the server certificate (given by your admin) to the default cacerts (which is very very bad approach) or create a new trust store with that certificate and use that in your application (this is preferred approach)

5. Refer to http://exampledepot.com/egs/javax.net.ssl/Client.html which explains how to use your own keystore as TrustStore.

You can use keytool -import command to create a new keystore, by importing the certificate. Check out http://exampledepot.com/egs/java.security.cert/ImportCert.html
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: How do I import a self-signed certificate using keytool?