I need to import a certificate into my JVM keystore. I am using the following:
keytool -import -alias daldap -file somecert.cer
so I would need to probably change my call into something like:
keytool -import -alias daldap -file somecert.cer -keystore cacerts –storepass changeit
Your keystore will be in your JAVA_HOME---> JRE -->lib---> security--> cacerts. You need to check where your JAVA_HOME is configured, possibly one of these places,
Computer--->Advanced --> Environment variables---> JAVA_HOME
Your server startup batch files.
In your import command -keystore cacerts (give full path to the above JRE here instead of just saying cacerts).
Keystore Location
Each keytool command has a -keystore option for specifying the name and location of the persistent keystore file for the keystore managed by keytool. The keystore is by default stored in a file named .keystore in the user's home directory, as determined by the "user.home" system property. Given user name uName, the "user.home" property value defaults to
C:\Users\uName on Windows 7 systems
C:\Winnt\Profiles\uName on multi-user Windows NT systems
C:\Windows\Profiles\uName on multi-user Windows 95 systems
C:\Windows on single-user Windows 95 systems
Thus, if the user name is "cathy", "user.home" defaults to
C:\Users\cathy on Windows 7 systems
C:\Winnt\Profiles\cathy on multi-user Windows NT systems
C:\Windows\Profiles\cathy on multi-user Windows 95 systems
http://docs.oracle.com/javase/1.5/docs/tooldocs/windows/keytool.html
Mac OS X 10.12 with Java 1.8:
$JAVA_HOME/jre/lib/security
cd $JAVA_HOME
/Library/Java/JavaVirtualMachines/jdk1.8.0_40.jdk/Contents/Home
From there it's in:
./jre/lib/security
I have a cacerts keystore in there.
To specify this as a VM option:
-Djavax.net.ssl.trustStore=/Library/Java/JavaVirtualMachines/jdk1.8.0_40.jdk/Contents/Home/jre/lib/security/cacerts -Djavax.net.ssl.trustStorePassword=changeit
I'm not saying this is the correct way (Why doesn't java know to look within JAVA_HOME?), but this is what I had to do to get it working.
You can find it in your "Home" directory:
On Windows 7:
C:\Users\<YOUR_ACCOUNT>\.keystore
On Linux (Ubuntu):
/home/<YOUR_ACCOUNT>/.keystore
This works for me:
#! /bin/bash
CACERTS=$(readlink -e $(dirname $(readlink -e $(which keytool)))/../lib/security/cacerts)
if keytool -list -keystore $CACERTS -storepass changeit > /dev/null ; then
echo $CACERTS
else
echo 'Can not find cacerts file.' >&2
exit 1
fi
Only for Linux. My Solaris has no readlink. In the end I used this Perl-Script:
#! /usr/bin/env perl
use strict;
use warnings;
use Cwd qw(realpath);
$_ = realpath((grep {-x && -f} map {"$_/keytool"} split(':', $ENV{PATH}))[0]);
die "Can not find keytool" unless defined $_;
my $keytool = $_;
print "Using '$keytool'.\n";
s/keytool$//;
$_ = realpath($_ . '../lib/security/cacerts');
die "Can not find cacerts" unless -f $_;
my $cacerts = $_;
print "Importing into '$cacerts'.\n";
`$keytool -list -keystore "$cacerts" -storepass changeit`;
die "Can not read key container" unless $? == 0;
exit if $ARGV[0] eq '-d';
foreach (@ARGV) {
my $cert = $_;
s/\.[^.]+$//;
my $alias = $_;
print "Importing '$cert' as '$alias'.\n";
`keytool -importcert -file "$cert" -alias "$alias" -keystore "$cacerts" -storepass changeit`;
warn "Can not import certificate: $?" unless $? == 0;
}
As DimtryB mentioned, by default the keystore is under the user directory. But if you are trying to update the cacerts file, so that the JVM can pick the keys, then you will have to update the cacerts file under jre/lib/security. You can also view the keys by executing the command keytool -list -keystore cacerts to see if your certificate is added.
We encountered this issue on a Tomcat running from a jre directory that was (almost fully) removed after an automatic jre update, so that the running jre could no longer find jre.../lib/security/cacerts because it no longer existed.
Restarting Tomcat (after changing the configuration to run from the different jre location) fixed the problem.
In addition to all answers above:
If updating the cacerts file in JRE directory doesn't help, try to update it in JDK.
C:\Program Files\Java\jdk1.8.0_192\jre\lib\security
On Debian, using openjdk version "1.8.0_212", I found cacerts here:
/etc/ssl/certs/java/cacerts
Sure would be handy if there was a standard command that would print out this path.
来源:https://stackoverflow.com/questions/8980364/how-do-i-find-out-what-keystore-my-jvm-is-using