Import Client's Public Certificate into Server's Trust Store

In order to authenticate the client, one must import the client's public certificate into the server's trust store.

When creating a TrustManager, Sun's JSSE implementation will first check for an alternate cacerts file before falling back to the standard cacerts file. This enables one to provide a JSSE-specific set of trusted root certificates separate from ones that might be present in cacerts for code signing purposes.

The search order for the locating the trust store is:

1) <java-home>\lib\security\jssecacerts, then
2) <java-home>\lib\security\cacerts

Note that if the file jssecacerts exists, then cacerts is not consulted.

Required inputs

public certificate filename (for example, "client.cer")
trust store filename (for example, "jssecacerts" or "cacerts")
trust store password (for example, "changeit")
alias (for example, "ca_client")

Procedure

Import the server's public certificate into one of the following trust stores:

JSSE trust store
Standard trust store

Procedure: JSSE Trust Store (jssecacerts)

Follow this procedure if the client's public certificate is to be imported into the JSSE trust store jssecacerts. Alternatively, one may import the certificate into the standard trust store.

Open a command window
Ensure that the command window contains the JRE\bin directory in its path
set path=%path%;C:\j2sdk1.4.2_02\bin
Navigate the command window to a private directory which will contain the server's trust store file (for example, <java-home>\lib\security\)
Import client's public certificate into your jssecacerts trust store.
1. keytool -import -alias <jsseca_alias> -file <client_public_certificate> -keystore <truststore_filename> -storePass <truststore_password>
  (for example, keytool -import -alias ca_client -file client.cer -keystore jssecacerts -storepass changeit )
2. Trust this certificate: [no] yes<Return>

If a mistake is made then the certificate can be deleted from the trust store by the procedure to delete a certificate.

Procedure: Standard Trust Store (cacerts)

Follow this procedure if the client's public certificate is to be imported into the standard trust store cacerts. Alternatively, one may import the certificate into the JSSE trust store.

Open a command window
Ensure that the command window contains the JRE\bin directory in its path
set path=%path%;C:\j2sdk1.4.2_02\bin
Navigate the command window to a private directory which will contain the server's trust store file (for example, <java-home>\lib\security\)
Import client's public certificate into your cacerts trust store.
1. keytool -import -alias <ca_alias> -file <client_public_certificate> -keystore <truststore_filename> -storePass <truststore_password>
  (for example, keytool -import -alias ca_client -file client.cer -keystore cacerts -storepass changeit )
2. Trust this certificate: [no] yes<Return>

If a mistake is made then the certificate can be deleted from the trust store by following the procedure to delete a certificate.