How to properly import a selfsigned certificate into Java keystore that is available to all Java applications by default?
Whip out your terminal and enter:
Ensure $JAVA_HOME is your Java installation directory. Replace yourCert with a unique alias, and -file is the path to your certificate file. The keystore’s password is changeit by default.
Voila! You've just trusted your self-signed certificate across all your Java apps.
Preliminary steps: Prepare for the quest
There are some tasks to complete before beginning your import journey to certify its success:
Identify your Java version
Ensure you're using the appropriate version of Java. Use the command System.getProperty("java.home"); to quickly identify your active Java home.
Secure the certificate download
Always remember to use a secure method when downloading your certificate from the server.
Verify before import
Reduce the risk of potential blunders by confirming the details of the certificate before importing it.
Safety first, folks: Backup your files
Back up the cacerts file before making changes to it. An unaltered version can be a lifesaver when debugging unforeseen errors.
Import certificate: A detailed guide
Now that you've completed the preliminary steps, let's dive into the main dishes on our menu aka the import process.
Download the certificate
This one's a no-brainer. Need a certificate? Download it first. SSL cert from the server can be easily procured using openssl s_client.
Spotting the keystore
Get to the $JAVA_HOME/lib/security/cacerts to start cooking! Remember sudo is your friend when it comes to navigating the security directories.
Certificate import
Use the Java keytool utility as your personal shortcut to the main spice rack:
Update the alias, certificate path, and keystore location.
Post-import: Check and move cacerts
After a TV-commercial-length coffee break, confirm that the certificate is now securely embedded in your cacerts keystore using the keytool -list command. Next, return the cacerts file to its original location.
Advanced topics: JKS or PKCS12?
Stay on top of your game: Java 9 and later versions use PKCS12 instead of JKS because PKCS12 is the new and improved keystore format. Convert your keystore to PKCS12:
Automate the repeated process
Seasoning your Java apps should be an ongoing process. Consider using batch scripts from GitHub, or visual tools like Portecle to stay on top of your certification management.
Tips and tricks: Edge cases
Admin privileges
No success without sudo? Here's a joke from a server admin: "Got problem? Have you tried using sudo? 😂"
Pointing to the right Java
Mix up between multiple Java installations? Add this to your toolbox:
Forgetful mind
If you forgot your keystore password then we've got some good news for you. The default keystore password is 'changeit' - for when you initially forget to change it 🥁🤣.
Was this article helpful?