Import Server's Public Certificate into Client's Trust Store
In order to authenticate the server, one must import the server's public certificate
into the client's trust store.
When creating a TrustManager, Sun's JSSE implementation will first
check for an alternate cacerts file before falling back to the standard
cacerts file. This enables one to provide a JSSE-specific set of trusted root
certificates separate from ones that might be present in cacerts for code signing purposes.
The search order for the locating the trust store is:
1) <java-home>\lib\security\jssecacerts, then
2) <java-home>\lib\security\cacerts
Note that if the file jssecacerts exists, then cacerts is not consulted.
Required inputs
- public certificate filename (for example, "myserver.cer")
- trust store filename (for example, "jssecacerts" or "cacerts")
- trust store password (for example, "changeIt")
- alias (for example, "ca_server")
Procedure
Import the server's public certificate into one of the following trust stores:
Procedure: JSSE Trust Store (jssecacerts)
Follow this procedure if the server's public certificate is to be imported into
the JSSE trust store jssecacerts. Alternatively, one may import the certificate into
the standard trust store.
- Open a command window
- Ensure that the command window contains the JRE\bin directory in its path
set path=%path%;C:\j2sdk1.4.2_02\bin
- Navigate the command window to a private directory which will contain the server's trust store file
(for example, <java-home>\lib\security\)
- Import server's public certificate into your jssecacerts trust store.
- keytool -import -alias <jsseca_alias> -file <server_public_certificate> -keystore <truststore_filename> -storePass <truststore_password>
(for example, keytool -import -alias ca_server -file server.cer -keystore jssecacerts -storepass changeIt )
- Trust this certificate: [Yes] <Return>
If a mistake is made then the certificate can be deleted from the trust store by
the procedure to delete a certificate.
Procedure: Standard Trust Store (cacerts)
Follow this procedure if the server's public certificate is to be imported into
the standard trust store cacerts. Alternatively, one may import the certificate into
the JSSE trust store.
- Open a command window
- Ensure that the command window contains the JRE\bin directory in its path
set path=%path%;C:\j2sdk1.4.2_02\bin
- Navigate the command window to a private directory which will contain the server's trust store file
(for example, <java-home>\lib\security\)
- Import server's public certificate into your cacerts trust store.
- keytool -import -alias <ca_alias> -file <server_public_certificate> -keystore <truststore_filename> -storePass <truststore_password>
(for example, keytool -import -alias ca_server -file server.cer -keystore cacerts -storepass changeIt )
- Trust this certificate: [Yes] <Return>
If a mistake is made then the certificate can be deleted from the trust store by following the
procedure to delete a certificate.