File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Security and the fly likes Migration of Cacerts from jre1.4 to jre1.6 Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "Migration of Cacerts from jre1.4 to jre1.6" Watch "Migration of Cacerts from jre1.4 to jre1.6" New topic
Author

Migration of Cacerts from jre1.4 to jre1.6

Fidel Edwards
Ranch Hand

Joined: Mar 19, 2008
Posts: 231
Hi All,

I am planning to migrate the java version in my machine from 1.4 to 1.6. As there are so many entries in Cacerts files for 100s of certificates. Hence, I can not add each of those certificates in 1.6 Cacerts files.

Is there any way/command which I can use, to recompile all Certificates of 1.4 to 1.6?

Thanks in Advance !


God Gave Me Nothing I Wanted, He Gave Me Everything I Needed.
OCPJP6
Richard Tookey
Ranch Hand

Joined: Aug 27, 2012
Posts: 1083
    
  10

I know of no tool to perform the task but it should be fairly straight forward to write a script (or Java program) to list and export the certificates in the 1.4 cacerts and then import them into the 1.6 cacerts.

P.S. Is there any reason why you are not upgrading to 1.7 ?
Fidel Edwards
Ranch Hand

Joined: Mar 19, 2008
Posts: 231
Thanks Richard for quick Response..!


Richard Tookey wrote:I know of no tool to perform the task but it should be fairly straight forward to write a script (or Java program) to list and export the certificates in the 1.4 cacerts and then import them into the 1.6 cacerts.


I would like to do it via java keytool utility. As per your suggestion, Should I use just 1.6 keytool utility to export all certificates mentioned in 1.4 Cacerts to some other temp file and then import it back with 1.6 keytool?

Richard Tookey wrote:
P.S. Is there any reason why you are not upgrading to 1.7 ?


It is one of my Client's choice
Richard Tookey
Ranch Hand

Joined: Aug 27, 2012
Posts: 1083
    
  10

Fidel Edwards wrote: Should I use just 1.6 keytool utility to export all certificates mentioned in 1.4 Cacerts to some other temp file and then import it back with 1.6 keytool?

I don't see why not!

Richard Tookey wrote:
P.S. Is there any reason why you are not upgrading to 1.7 ?

It is one of my Client's choice

Your client will be using a JRE that is heading towards it's end of life.
Fidel Edwards
Ranch Hand

Joined: Mar 19, 2008
Posts: 231
Thanks Ric.. !

I will try it today and update you if it works for me.

Many Thanks for instant respone !
Jaikiran Pai
Marshal

Joined: Jul 20, 2005
Posts: 10263
    
168

Richard Tookey wrote:

Richard Tookey wrote:
P.S. Is there any reason why you are not upgrading to 1.7 ?

It is one of my Client's choice

Your client will be using a JRE that is heading towards it's end of life.


Java 6 has already been EOLed since Feb 2013 http://www.oracle.com/technetwork/java/eol-135779.html


[My Blog] [JavaRanch Journal]
Fidel Edwards
Ranch Hand

Joined: Mar 19, 2008
Posts: 231
Jaikiran Pai wrote:
Richard Tookey wrote:
Java 6 has already been EOLed since Feb 2013 http://www.oracle.com/technetwork/java/eol-135779.html


Sorry to say that but my client is more interested to use those software/hardware versions which are near to their death
Richard Tookey
Ranch Hand

Joined: Aug 27, 2012
Posts: 1083
    
  10

Fidel Edwards wrote:
Sorry to say that but my client is more interested to use those software/hardware versions which are near to their death


I hadn't realised that 1.6 had actually come to it's end of life and even though I am always slow to upgrade to the latest version of anything I would not use anything that has passed the point of active support by the manufacturer.
Fidel Edwards
Ranch Hand

Joined: Mar 19, 2008
Posts: 231
Richard Tookey wrote:
I hadn't realised that 1.6 had actually come to it's end of life and even though I am always slow to upgrade to the latest version of anything I would not use anything that has passed the point of active support by the manufacturer.


Just a small question, the link provided by Jai, doesn't show the End-Of-Life of Java6 rather it shows End of Public updates. Are both terms pointing to same thing?
Richard Tookey
Ranch Hand

Joined: Aug 27, 2012
Posts: 1083
    
  10

Fidel Edwards wrote:
Richard Tookey wrote:
I hadn't realised that 1.6 had actually come to it's end of life and even though I am always slow to upgrade to the latest version of anything I would not use anything that has passed the point of active support by the manufacturer.


Just a small question, the link provided by Jai, doesn't show the End-Of-Life of Java6 rather it shows End of Public updates. Are both terms pointing to same thing?


If you look carefully at that site you will see that your client can purchase support for about a further 5 years after the "End of Public updates". If there is any doubt in your mind about this then I suggest you contact Oracle .
Fidel Edwards
Ranch Hand

Joined: Mar 19, 2008
Posts: 231
Hi Richard,

I am not able to export 1.4 Cacerts to 1.6 Cacerts. I am trying following steps , please correct me if I am missing anything ( jre 1.6 already installed in my machine)

Here is the folder structure

cacerts (1.4 version)
|
converted
|____cacerts6 ( where output would be provided)

i) I ran following command, considering that cacerts (1.4) would be picked and would be exported to converted\cacerts6 file


I am not able to understand why is it happening?

I wanted to use -alias argument as well but as there are hundreds of certificate are existing into cacaerts (1.4 version). It is not possible for me to mention alias for each and every certificate, mentioned into cacerts(1.4 version) file.

Richard Tookey
Ranch Hand

Joined: Aug 27, 2012
Posts: 1083
    
  10

You can't do this in just one line! As I said earlier, you will have to write a script or maybe a Java program. The script will use the "keytool -list" to get a list of the certificates which you will then need to parse to get the certificate identities and then you will process each certificate from the list copying it out of the old cacert and into the new. You will have to avoid copying the CA certificates.

I use Linux so I would probably use 'bash' with 'awk' and/or 'sed' to extract the identities from the list. You could use just about any language instead of 'bash' to invoke 'keytool' ( probably the easiest would be Perl ) but if you have a Java background then Java with ProcessBuilder would be good. In some ways the best approach would be to read and process the cacerts in Java using the Keystore class.

Edit : Out of interest I quickly wrote a Java program to copy certificates from cacerts to a new cacerts using the KeyStore class. Without the filtering of the certificates that you will require this program was about 20 active lines.
Fidel Edwards
Ranch Hand

Joined: Mar 19, 2008
Posts: 231
Many Thanks Richard for Suggestion !

I found another simpler way to achieve it in JRE 1.6.


Richard Tookey
Ranch Hand

Joined: Aug 27, 2012
Posts: 1083
    
  10

Fidel Edwards wrote:Many Thanks Richard for Suggestion !

I found another simpler way to achieve it in JRE 1.6.




I'm not convinced since this may overwrite CA certificates with out-of-date versions! This is why I expected a filter to be needed.
Fidel Edwards
Ranch Hand

Joined: Mar 19, 2008
Posts: 231

Hi Ric,

I checked all my certificates' entries and it is having the duration the each certificate intact. The only thing changed was the Creation date of certificates not the validity of Certificates.

Richard Tookey wrote:
I'm not convinced since this may overwrite CA certificates with out-of-date versions! This is why I expected a filter to be needed.

How can I verify this ?
Richard Tookey
Ranch Hand

Joined: Aug 27, 2012
Posts: 1083
    
  10

Fidel Edwards wrote:
I checked all my certificates' entries and it is having the duration the each certificate intact. The only thing changed was the Creation date of certificates not the validity of Certificates.

Surely what matters is the 'not after' date and it is very possible that this will have changed in the 1.6 cacerts. I would have expected you to have filtered on this parameter.

Richard Tookey wrote:
I'm not convinced since this may overwrite CA certificates with out-of-date versions! This is why I expected a filter to be needed.

How can I verify this ?


Compare the 'not after' date for certificates that have the same alias in both 1.4 and 1.6 . I have 77 certificates in my 1.7 cacerts which will take no time at all to check using a Java program since the X509Certificate.getNotAfter() method return a java.util.Date which makes comparison easy. Of course I could be wrong and the certificates may not have been superseded (I have no way of checking) but to paraphrase Clint Eastwood - do you feel lucky?

Edit : of course you could create a copy of the 1.4 cacerts and copy into it the 1.6 cacerts and replace the 1.6 cacerts with the updated copy. This way you will keep all the new certificates and not overwrite them!
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Migration of Cacerts from jre1.4 to jre1.6