We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x
Private

How to specify root certificate for Java application in Redhat linux?

Medium Priority
187 Views
Last Modified: 2019-01-20
How to specify/setup root certificate with the parameter "deployment.user.security.cacerts" for jave (current version: java-1.8.0-oracle-1.8.0.xxx) on Linux (Red Hat 2.6.32-754.9.1.xxx.x86_64)?  Since the java version is often upgraded, would like to place the root certificate in an unchangeable place. Can any gurus shed some light to it? Thanks a lot.
Comment
Watch Question

CERTIFIED EXPERT
Top Expert 2016

Commented:
Is this a server machine?
jl66Consultant

Author

Commented:
Yes. Thanks.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Usually you would use the -Djavax.net.ssl.trustStore switch. If you want to use your own switch you would have to do: -Ddeployment.user.security.cacerts and then load the certification manually (i.e. with code).
CERTIFIED EXPERT
Top Expert 2016

Commented:
alias java='java -Ddeployment.user.security.cacerts=/home/foo/cacerts'

Open in new window


might be one way of doing it (for the user 'foo' running java)
jl66Consultant

Author

Commented:
Thanks a lot for the tips.
girionis: can you give me a concrete example on how to use that option -Djavax.net.ssl.trustStore?
CERTIFIED EXPERT
Top Expert 2016

Commented:
That's not the option you need afaics
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Java by default reads the certificates from <java installation>/jre/lib/security/cacerts file. You can copy and paste this file to another folder and just provide the path to this file using the trustStore switch. For example if you copy/paste the cacerts file into /home/myapp/certifications then you can pass the following argument:

-Djavax.net.ssl.trustStore=/home/myapp/certifications/cacerts

Open in new window


to JVM when you start Java.
CERTIFIED EXPERT
Top Expert 2016

Commented:
https://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/security.html :

The Root Certificate Authority certificate stores are the union of the certificate stores in the files pointed to by the properties: deployment.user.security.cacerts and deployment.system.security.cacerts. By default deployment.system.security.cacerts points to the cacerts file in the jre/lib/security directory. deployment.user.security.cacerts points to a file that contains any additional cacerts imported into it using the Certificates dialog in the Security tab of the Java Control Panel.
I'm guessing that for your purposes, you've already identified the proper system security property
Fractional CTO
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
Your packaging should take care of this.

Each time you update Java all public issuer chains automatically update.

Maybe what you're asking is about running a private CA + automatically adding your own private issuer chain to Java.

If this is what you're asking, https://manuals.gfi.com/en/kerio/connect/content/server-configuration/ssl-certificates/adding-trusted-root-certificates-to-the-server-1605.html covers how to inject your own private CA issuer chains, so they get picked up automatically + no additional syntax is required to be added to each command.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
David FavorFractional CTO
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Note: Keep in mind a 2.6.32-754.9 Kernel is very old + this will likely cause many other problems, if you have any public (new openssl code) connecting to your very old openssl code.

So long as you don't expose your 2.6.32-754.9 Kernel (along with related old openssl) as a public service, you should be fine.
CERTIFIED EXPERT
Top Expert 2016

Commented:
... covers how to inject your own private CA issuer chains
Yes, i assumed jl66 already knows how to do this, which is a task onerous in a different way - plus one likely to get overwritten (as the OP mentions)
jl66Consultant

Author

Commented:
Thanks a lot for the additional tips.
David -- your statement makes a lot sense "Each time you update Java all public issuer chains automatically update.", but I can't prove it now. If it is true, that is what I have been looking for. Appreciate it.
jl66Consultant

Author

Commented:
Thanks a lot for the additional comments.
David-- I feel this makes a lot of sense "Each time you update Java all public issuer chains automatically update", but currently I can't prove it. If so, that is what I want. Appreciate it.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.