104

Has anyone came across where they have to deal with .truststore file? and knowing how to import .cer into .truststore file?

I am not sure if I have to use Java Keytool or Linux command (such as openssl command).

Thanks

netic
  • 2,854
  • 6
  • 28
  • 25

3 Answers3

222
# Copy the certificate into the directory Java_home\Jre\Lib\Security
# Change your directory to Java_home\Jre\Lib\Security>
# Import the certificate to a trust store.

keytool -import -alias ca -file somecert.cer -keystore cacerts -storepass changeit [Return]

Trust this certificate: [Yes]

changeit is the default truststore password

ScArcher2
  • 85,501
  • 44
  • 121
  • 160
Strelok
  • 50,229
  • 9
  • 102
  • 115
  • any one know how to do in openssl – Balamurugan Jul 11 '11 at 08:07
  • 10
    This command let you download the certificate to a file namend certfile.txt: openssl s_client -connect HOSTNAME:PORTNUM 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > certfile.txt --- Then use keytool to import it in your trust store – Christian Achilli Sep 09 '11 at 10:09
  • 2
    You can download the certificate of any SSL secured website in your browser. In FireFox just doublclick the lock symbol in the URL address field. – BetaRide Dec 17 '13 at 15:31
  • if you have "jssecacerts" file , use "-keystore jssecacerts" instead. "cacerts" is ignored – kommradHomer Jul 05 '19 at 14:01
28

Instead of using sed to filter out the certificate, you can also pipe the openssl s_client output through openssl x509 -out certfile.txt, for example:

echo "" | openssl s_client -connect my.server.com:443 -showcerts 2>/dev/null | openssl x509 -out certfile.txt
Cape Code
  • 3,584
  • 3
  • 24
  • 45
jbuhacoff
  • 1,189
  • 1
  • 13
  • 17
  • This answer was intended as an improvement to Christian's comment on the accepted answer about downloading the certificate. Probably should have been a comment. – jbuhacoff Mar 19 '19 at 01:04
11

The way you import a .cer file into the trust store is the same way you'd import a .crt file from say an export from Firefox.

You do not have to put an alias and the password of the keystore, you can just type: 

keytool -v -import -file somefile.crt  -alias somecrt -keystore my-cacerts

Preferably use the cacerts file that is already in your Java installation (jre\lib\security\cacerts) as it contains secure "popular" certificates.

Update regarding the differences of cer and crt (just to clarify) According to Apache with SSL - How to convert CER to CRT certificates? and user @Spawnrider

CER is a X.509 certificate in binary form, DER encoded.
CRT is a binary X.509 certificate, encapsulated in text (base-64) encoding.
It is not the same encoding.

Robert Houghton
  • 1,202
  • 16
  • 28
Andreas Panagiotidis
  • 2,763
  • 35
  • 32
  • 2
    All this means is that you exported the file with a slightly different name. It doesn't change the file, the question, or the answer. It is wise to specify an alias: otherwise you risk overwriting a prior import. – user207421 Sep 14 '16 at 20:52
  • Do .crt and .cer have the some format? Does the extension play no role in the certificates? Good point about the alias. – Andreas Panagiotidis Sep 16 '16 at 11:13
  • 2
    I answer my question: Yes, crt and cer have the same format. Same thing. You can import both in trust store. – Andreas Panagiotidis Jan 20 '17 at 10:11