49

How do you import an SSL certificate created by java into a project in Eclipse?

MahlerFive
  • 5,159
  • 5
  • 30
  • 40

8 Answers8

49

Probably you want to import a "fake" SSL cert in JRE's trustcacerts for avoiding not-a-valid-certificate issues. Isn't it?

As Jon said, you can do the job with keytool:

keytool
    -import
    -alias <provide_an_alias>
    -file <certificate_file>
    -keystore <your_path_to_jre>/lib/security/cacerts

Use "changeit" as the default password when asked (thanks Brian Clozel). Ensure to use this runtime at your server or launch configuration.

Stevoisiak
  • 23,794
  • 27
  • 122
  • 225
sourcerebels
  • 5,140
  • 1
  • 32
  • 52
  • 11
    Worked for me. FYI, the default password associated with your keystore is "changeit" – Brian Clozel Mar 10 '10 at 15:51
  • 1
    When I enter `java keytool` in cmd.exe, I get "*Error: Could not find or load main class keytool*". Where should we be entering these commands? – Stevoisiak Oct 27 '17 at 14:40
  • 1
    Instead of "-keystore /lib/security/cacerts", you can just put "-cacerts" as a shortcut. (I believe this shortcut is a recent addition to the tool and it might not work in older versions of Java.) – Truisms Hounds Mar 19 '21 at 18:21
  • Finally i did it---- Eclipse holds it's own jre in c:/users/..... folder we have to search cacerts in that folder or find what jre eclipse is using and import to that then it works. I got cacerts in "C:\Users\username\.p2\pool\plugins\org.eclipse.justj.openjdk.hotspot.jre.full.win32.x86_64_17.0.3.v20220515-1416\jre\lib\security" – Ajay K N Aug 25 '22 at 07:11
45

In case you have the certificate already in your Windows' certificate store (this is common in corporate/company deployments with MITM certificates), you can also use the following steps (with help from another Stackoverflow answer with more detailed explaination):

  1. Locate the eclipse.ini file in your Eclipse installation and open it

  2. Below the line -vmargs, add the following lines, then save the file:

-Djavax.net.ssl.trustStore=NUL
-Djavax.net.ssl.trustStoreType=Windows-ROOT
  1. Restart eclipse.
Christian Stadelmann
  • 516
  • 4
  • 14
9

There's a better tool for the job.

KeyStore Explorer

When you run (run as administrator in windows in order to save changes to system, sudo in linux, etc.) the application (it has installers for win/mac/linux) there's a built-in function to edit the system's cacerts file:

File -> Open Special -> Open CA Certificates

Open CA Certificates

EITHER you already have the certificate file and you can go to:

Tools -> Import Trusted Certificate

OR you need to download the certificate from the server; go to:

Examine -> Examine SSL

Examine menu

Examine SSL

From there type in the hostname and click ok. It will pop up a window showing the certificate details. At the bottom of that window there's an "Import" button that will allow you to directly import it into the cacerts.

Certificate Details for SSL Connection

Make sure you save and close cacerts, and restart your eclipse/application for the settings to take effect.

apocalysque
  • 332
  • 2
  • 6
5

Mac

  1. Open Keychain Access.app (Shortcut: press Command + Spacebar and type Keychain)
  2. Search the desired certificate file (e.g. example.cer) and right-click ➡️ Select Export... ➡️ Save it to some location e.g. Desktop.
  3. Follow the instructions in this answer to import it to your Java certificate store. The important commands are:
cd $JAVA_HOME/lib/security
sudo cp cacerts cacerts.bak
sudo keytool -importcert -alias youralias -file ~/Desktop/example.cer -keystore cacerts

The default password of the keystore is: changeit.

  1. Assuming, $JAVA_HOME/lib/security points to /Library/Java/JavaVirtualMachines/adoptopenjdk-15.jdk/Contents/Home/lib/security in your system, add the following lines in the eclipse.ini file:
-Djavax.net.ssl.trustStore=/Library/Java/JavaVirtualMachines/adoptopenjdk-15.jdk/Contents/Home/lib/security/cacerts
-Djavax.net.ssl.trustStorePassword=changeit

Note: If you are using STS, follow this answer to locate the .ini file.

  1. Restart Eclipse.
Arvind Kumar Avinash
  • 71,965
  • 6
  • 74
  • 110
2

We need to import a certificate means we need to use :

keytool 
 -importcert 
 -file <certificate_location> 
 -keystore <jre_location\lib\security\cacerts> 
 -alias "<cert_name>"

It will ask for a password. Type the password as changeit

Type Password : changeit

finally it will ask need to add {yes/no} :

type yes.

Note: Don't give blank space in location path

Stephen Rauch
  • 47,830
  • 31
  • 106
  • 135
Navaneeth
  • 51
  • 4
  • At the risk of asking a silly question, is the keytool utility available on a Windows install of Eclipse? If so, where? Thanks. EDIT: Found it. For others' benefit, it's in the Java install, e.g. C:\Program Files\Java\jre1.8.0_161\bin – Flyto Feb 19 '18 at 09:06
  • it will helpful when working in server side applications like ESB,JBoss,etc. and HTTPS service client call – Navaneeth Mar 07 '18 at 09:00
1

If you have default Java setup and have provided Java classpath, then you must be using Java Truststore for SSL certificates.

For this you can follow below steps to import certificates into Trust store:

  1. Navigate to the JRE\bin folder of your Java setup Ideally the path should be:

user\Java\jre1.8.0_221\bin

  1. You will be able to find Keytool in the bin folder(which will be used to run the commands):

Path to locate Keytool

  1. Now once you are on this path, open the path in your CMD prompt:

Bin folder in CMD

  1. Now you will be able to find default Trust store of Java at below path: Path-

user\Java\jre1.8.0_221\bin

Path to Java default Trust store

  1. Now you can run below command to see contents of this Trust store:

    keytool -list -v -keystore "C:\Program Files\Java\jre1.8.0_221\lib\security\cacerts"

Note: If your path to Trust store has spaces in it, then you need to use double quotes for the path. Else you can provide path like below:

keytool -list -v -keystore C:\Temp\Java\jre1.8.0_221\lib\security\cacerts

Now just provide password to Trust Store(Default password is: changeit): Accessing Trust store using Keytool

  1. You can now as per your need add any certificate to the Trust store:

    JRE_HOME/bin/keytool -import -trustcacerts -alias certAlias -file certFile -keystore trustStoreFile

k.a.
  • 11
  • 1
0
sudo  keytool -import  -file /Users/balaji-pt2176/Desktop/Apple\ Worldwide\ Developer\ Relations\ Certification\ Authority.cer  -keystore /Library/Java/JavaVirtualMachines/jdk1.8.0_181.jdk/Contents/Home/jre/lib/security/cacerts

in mac

Suraj Rao
  • 29,388
  • 11
  • 94
  • 103
BalajiShanmugam
  • 21
  • 2
0

You should probably create the certificate and import it into the default keystore using keytool. I'm not sure what you're trying to do with your application, but it should then be able to use that certificate.

Jonathan Holloway
  • 62,090
  • 32
  • 125
  • 150