?
Solved

Adding a certificate to Trusted Certificates

Posted on 2010-01-05
13
Medium Priority
?
855 Views
Last Modified: 2012-05-08
Hello all,

Trying to do the same thing that this poster was doing. http://www.experts-exchange.com/Programming/Languages/Java/Q_22972575.html?sfQueryTermInfo=1+certif+trust 

I was wondering if anyone had a sample of how to use keytool to do this.
0
Comment
Question by:dwb178
  • 6
  • 3
  • 3
  • +1
13 Comments
 
LVL 86

Accepted Solution

by:
CEHJ earned 1000 total points
ID: 26183441
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 26186373
there is absolutely no point in doing so.

the trust store for self signed (CA) certificates is the cacert file in the security subdirectory, under lib in the java home path.

its easier and quicker to just replace that file from the server with one already imported correctly, rather than trying each time to re-import from a pem certificate.
0
 
LVL 6

Expert Comment

by:arevuri
ID: 26187136
use keytool command line executable program provided by java to add your certificate.
0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

 
LVL 86

Expert Comment

by:CEHJ
ID: 26189675
>>
its easier and quicker to just replace that file from the server with one already imported correctly, rather than trying each time to re-import from a pem certificate.
>>

Surely that would only be the case if each cacerts were identical other than the replacement having the extra required cert?
0
 
LVL 1

Author Comment

by:dwb178
ID: 26189960
Hello all,

Thank you for the suggestions, however, I have not found a solution for my problem. I will elaborate on it a little more in hopes of finding an answer.

The project I am working on displays "Do you want to trust the sign applet by.....   Yes, No, Always". If I choose yes or always, I notice it modifies the C:\Documents and Settings\MyUserName\Application Data\Sun\Java\Deployment\security\deployment.certs file. I have tried using keytool to write to this file using the following command.

keytool.exe -import -file "C:\myCert.csr" -keystore "C:\Documents and Settings\MyUserName\Application Data\Sun\Java\Deployment\security\deployment.certs"

I am prompted for a password. I have tried changeit, "" (without spaces), and my Windows password and receive "keystore was tampered with, or password was incorrect" error message.

Does anyone know what the default password for deployment.certs file is?

I can simply replace the deployment.certs file with a known good one and have it work, but like CEHJ mentioned it would overwrite any changes that have been made to it.
0
 
LVL 86

Expert Comment

by:CEHJ
ID: 26189975
What happens when you use the code at the link i posted?
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 26190975
the cacerts *should* be standardized, if this is a corporate solution. you don't want any certificates in there other than the ones you approved.
0
 
LVL 86

Expert Comment

by:CEHJ
ID: 26191059
>>the cacerts *should* be standardized,

That's probably true, but is a different issue really, If there were a pristine and final certs file that could be copied/used enterprise wide, that would be fine. How would the certs get into that file in the first place?

>>Does anyone know what the default password for deployment.certs file is?

Did you try 'changeit' ?
0
 
LVL 1

Author Comment

by:dwb178
ID: 26192025
@CEHJ
The tool says it added the certificate and I can see it listed in there using keytool and yes I tried the default password of changeit.

I also tried manually adding the cert to cacerts using keytool using the following command.

keytool -import -file "C:\myCert.csr" -trustcacerts -keystore "C:\Program Files\JavaSoft\JRE\1.4.2_13\lib\security\cacerts"

I enter yes when asked Trust this certificate.

I followed this tutorial http://www.mobilefish.com/tutorials/java/java_quickguide_keytool.html skipping steps 1-8 since the cert I have is already signed by Verisign, however, don't see the cert when I pull it up in Java Control Panel.
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 1000 total points
ID: 26192103
>>>>the cacerts *should* be standardized,

>> That's probably true, but is a different issue really, If there were
>> a pristine and final certs file that could be copied/used enterprise
>> wide, that would be fine. How would the certs get into that file in the first place?

In my opinion? there is one, and its the one on my machine. If I want to update the enterprise model, I first update my own machine, make sure nothing breaks, then roll it out to a test sample of end user machines (and eventually all of them)

It gets there because I put it there - usually I use Keytool IUI, a Gui tool, but that's fine as I don't need automation there.

>>>>Does anyone know what the default password for deployment.certs file is?
>>Did you try 'changeit' ?

that's cacerts. for deployment.certs and trusted.certs you should use the empty string ("") - however, I don't use those in production environments, I make sure all the certs needed are signed by my own CA key, then distribute cacerts.
0
 
LVL 86

Expert Comment

by:CEHJ
ID: 26192901
>> however, don't see the cert when I pull it up in Java Control Panel.

Make sure you've added it the right JRE - that one you mentioned is pretty old
0
 
LVL 1

Author Comment

by:dwb178
ID: 26274190
Thanks for your help guys. I ended up updating Java to at least version 1.5 and using the following command:

keytool.exe -import  -file c:\my_cert.csr -keystore "C:\Documents and Settings\myuser\Application Data\Sun\Java\Deployment\security\trusted.certs" -storepass "" noprompt

0
 
LVL 86

Expert Comment

by:CEHJ
ID: 26274236
:-)
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The article explains the process to deploy a Self-Service password reset portal I developed a few years ago. Hopefully, it will prove useful to someone.  Any comments, bug reports etc. are welcome...
This blog will spread awareness about Dropbox. We have given the statements based upon our experience. Along with this, there is a section of some new plans that should be added in Dropbox this year. This will make the storage service enhanced from …
This video teaches viewers about errors in exception handling.
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Suggested Courses

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question