Download and import a certificate to keystore - One Level
This imports the lowest level certificate in the chain
-
CACERTS=/usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts
-
HOST_TO_GET_CERT_FROM=dev.mylinkedthings.com
-
PORT_TO_GET_CERT_FROM=5643
-
-
CERT_FILE=./${HOST_TO_GET_CERT_FROM}.cert
-
-
echo -n | openssl s_client -connect ${HOST_TO_GET_CERT_FROM}:${PORT_TO_GET_CERT_FROM} | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ${CERT_FILE}
To print the file you just downloaded:
-
keytool -printcert -v -file ${CERT_FILE}
List all files in the store.
(default java password is changeit)
-
keytool -list -v -keystore ${CACERTS}
Do the actual import:
-
sudo keytool -import -trustcacerts -file ${CERT_FILE} -alias CA_ALIAS -keystore ${CACERTS}
Debugging:
If you get an ALIAS error try it with a different alias, e.g. CA_ALIAS2 etc.
View vertificate:
-
openssl x509 -in ${CERT_FILE_ROOT} -noout -text
Download and import a certificate to keystore - Top Level
This picks out any certificate that we will need and this process is more manual.
-
CACERTS=/usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts
-
HOST_TO_GET_CERT_FROM=dev.mylinkedthings.com
-
PORT_TO_GET_CERT_FROM=5643
-
-
CERT_FILE=./${HOST_TO_GET_CERT_FROM}.cert
-
CERT_FILE_ROOT=./${HOST_TO_GET_CERT_FROM}_ROOT.cert
-
-
echo -n | openssl s_client -connect ${HOST_TO_GET_CERT_FROM}:${PORT_TO_GET_CERT_FROM} | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ${CERT_FILE}
-
echo -n | openssl s_client -connect ${HOST_TO_GET_CERT_FROM}:${PORT_TO_GET_CERT_FROM} -prexit -showcerts
The above will output the lowest level file for comparison and then echo multiple certificates to the screen.
The second certificate will have something like:
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
This is the higher level in the cert chain. Copy everything from this cert including the BEGIN and END then run:
-
vi ${CERT_FILE_ROOT}
Paste and save
Import to the java keytool:
-
sudo keytool -import -trustcacerts -file ${CERT_FILE_ROOT} -alias CA_ALIAS -keystore ${CACERTS}
Debugging
https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-d…
-
-
java SSLPoke ${HOST_TO_GET_CERT_FROM} ${PORT_TO_GET_CERT_FROM}
Previous Method
Download a certificate. From chrome choose the option "DER encoded binary X.509 (.CER)"
-
set JAVA_HOME="C:\Program Files\Java\jdk1.7.0_51"
-
-
Default trust store is changeit
-
-
"%JAVA_HOME%\bin\keytool" -list -v -keystore "%JAVA_HOME%/jre/lib/security/cacerts"
-
-
-
set TOTEST="C:\Users\rjmetcal\Desktop\ifttt.cer"
-
"%JAVA_HOME%\bin\keytool" -printcert -v -file "%TOTEST%"
-
-
Run as command prompt in admin mode to add the cert.
-
-
"%JAVA_HOME%\bin\keytool" -import -alias ca -file "%TOTEST%" -keystore "%JAVA_HOME%/lib/security/cacerts"
-
or
-
"%JAVA_HOME%\bin\keytool" -import -alias ca -file "%TOTEST%" -keystore "%JAVA_HOME%/jre/lib/security/cacerts"
Notes
Make sure it is added to the right cacerts file. If you are prompted to retype the password it is creating a new file.
Installing GoDaddy trust certificate on Raspberry Pi
-
GODADDYROOTCERT=~/GODADDYROOTCERT.crt
-
JAVAHOME=/usr/lib/jvm/jdk-8-oracle-arm-vfp-hflt/jre
-
wget -O ${GODADDYROOTCERT} ${GODADDYURL}
-
sudo ${JAVAHOME}/bin/keytool -import -alias ca -file ${GODADDYROOTCERT} -keystore ${JAVAHOME}/lib/security/cacerts
-
rm ${GODADDYROOTCERT}
Install random cert on Raspberry Pi
-
HOST=yearbook-wireless.lan:8080
-
ALAIS=yearook_key
-
CERTFILE=~/cert.cert.rjmtmp.crt
-
JAVAHOME=/usr/lib/jvm/jdk-8-oracle-arm-vfp-hflt/jre
-
echo | openssl s_client -connect ${HOST} 2>/dev/null | openssl x509
-
(echo | openssl s_client -connect google.com:443 2>/dev/null | openssl x509) > ${CERTFILE}
-
sudo ${JAVAHOME}/bin/keytool -import -alias ${ALAIS} -file ${CERTFILE} -keystore ${JAVAHOME}/lib/security/cacerts
enter password changeit
-
rm ${CERTFILE}
Manual windows install cert in a JRE
Use Chrome and export the cert as Base-64 encoded X.509
File will have -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----
cacerts file will be in jre location. e.g. C:\Program Files\Java\jre8\lib\security\cacerts
-
SET CACERTS="C:\Program Files\Java\jre8\lib\security\cacerts"
-
SET CERT_FILE_ROOT="C:\off_desk\downloads\XXX.cer"
Import to the java keytool:
Password is changeit
you need an admin command terminal
-
keytool -import -trustcacerts -file %CERT_FILE_ROOT% -alias CA_ALIAS -keystore %CACERTS%
Google Juice
cacert cacerts