In our last post, we had discussed how to list Keystore certificates. Here we are going to see how to Import Certificates to the Cacerts Keystore file in Java.
For importing certificates you have to add certificates one by one into the Keystore file. The certificates may have .cer extension.
Application Servers like WebSphere and WebLogic will have the keystore file with .jks extension. jks stands for Java Keystore.
Syntax
keytool -import -trustcacerts alias certificateName -file "Absolute path of the certificate in backslash with extension" -keystore cacerts -storepass "certificate password here"
Cacerts is a CA keystore file. To install certificates to cacerts you have the following options,
trustcacerts - trustcacerts means trusted certificates. It can be read as trusted ca certs.
alias - Each certificate in the cacerts keystore file is identified by alias
file - Signed Certificate file
Command
Insert First Certificate
I have copied the certificates certificate1.cer and certificate2.cer to jre/lib/security folder.
C:\ Program Files\ Java\jdk1.8\bin>keytool -import -trustcacerts alias certificate1 -file "C:/Program Files/Java/jdk1.8/jre/lib/security/certificate2.cer" -keystore cacerts -storepass "CertificatePasswordHere"
Certificate was added to keystore
Insert Second Certificate
keytool -import -trustcacerts alias certificate2 -file "C:/Program Files/Java/jdk1.8/jre/lib/security/certificate2.cer" -keystore cacerts -storepass "CertificatePasswordHere"
Below command with cacerts absolute file path also will work,
keytool -import -trustcacerts alias certificate2 -file "C:/Program Files/Java/jdk1.8/jre/lib/security/certificate2.cer" -keystore "C:/Program Files/Java/jdk1.8/jre/lib/security/cacerts" -storepass "CertificatePasswordHere"
The above commands are tested for a Spring Boot application that uses an Oracle Java JDK.
For IBM WebSphere Application Server and Oracle WebLogic Server, just replace the cacerts file to keystorefilename.jks. Also, note both WebSphere and WebLogic might use their own JDK. So point to the correct path when using these Application Servers.
The default jvm of WebSphere is located at <WebSphere installed Location>/AppServer/java or C:/Program Files/IBM/WebSphere/AppServer/bin and the keystore will be found in <WebSphere installed Location>/AppServer/java/jre/lib/security/cacaerts.
By using this command you have added Signed Certificates to the existing Cacerts Keystore file. You can add multiple certificates in this way.