Import Client's Public Certificate into Server's Trust Store
In order to authenticate the client, one must import the client's public certificate
into the server's trust store.
When creating a TrustManager, Sun's JSSE implementation will first
check for an alternate cacerts file before falling back to the standard
cacerts file. This enables one to provide a JSSE-specific set of trusted root
certificates separate from ones that might be present in cacerts for code signing purposes.
The search order for the locating the trust store is:
1) <java-home>\lib\security\jssecacerts, then
2) <java-home>\lib\security\cacerts
Note that if the file jssecacerts exists, then cacerts is not consulted.
Required inputs
- public certificate filename (for example, "client.cer")
- trust store filename (for example, "jssecacerts" or "cacerts")
- trust store password (for example, "changeit")
- alias (for example, "ca_client")
Procedure
Import the server's public certificate into one of the following trust stores:
Procedure: JSSE Trust Store (jssecacerts)
Follow this procedure if the client's public certificate is to be imported into
the JSSE trust store jssecacerts. Alternatively, one may import the certificate into
the standard trust store.
- Open a command window
- Ensure that the command window contains the JRE\bin directory in its path
set path=%path%;C:\j2sdk1.4.2_02\bin
- Navigate the command window to a private directory which will contain the server's trust store file
(for example, <java-home>\lib\security\)
- Import client's public certificate into your jssecacerts trust store.
- keytool -import -alias <jsseca_alias> -file <client_public_certificate> -keystore <truststore_filename> -storePass <truststore_password>
(for example, keytool -import -alias ca_client -file client.cer -keystore jssecacerts -storepass changeit )
- Trust this certificate: [no] yes<Return>
If a mistake is made then the certificate can be deleted from the trust store by
the procedure to delete a certificate.
Procedure: Standard Trust Store (cacerts)
Follow this procedure if the client's public certificate is to be imported into
the standard trust store cacerts. Alternatively, one may import the certificate into
the JSSE trust store.
- Open a command window
- Ensure that the command window contains the JRE\bin directory in its path
set path=%path%;C:\j2sdk1.4.2_02\bin
- Navigate the command window to a private directory which will contain the server's trust store file
(for example, <java-home>\lib\security\)
- Import client's public certificate into your cacerts trust store.
- keytool -import -alias <ca_alias> -file <client_public_certificate> -keystore <truststore_filename> -storePass <truststore_password>
(for example, keytool -import -alias ca_client -file client.cer -keystore cacerts -storepass changeit )
- Trust this certificate: [no] yes<Return>
If a mistake is made then the certificate can be deleted from the trust store by following the
procedure to delete a certificate.