Programmatically add cacerts file to truststore

Question

In my Spring boot application, I need to call an API (GET: https://anotherserver.com/api) on another server. The server admin gave me a file named cacerts(no extension), and told me to import the file using VM options every time I start my Spring boot application.

-Djavax.net.ssl.trustStore=C:\Users\k26342\Downloads\cacerts -Djavax.net.ssl.trustStorePassword=changeit

It did work. Now I want to write some code to do so instead of using VM options but I have no idea how. I found some posts (like this and this) but the posts are about keystore or X509Certificate which I think are different from my case.

Any help is appreciated.

This is the correct option to set a truststore. You can also set it using `System.setProperty("javax.net.ssl.trustStore",path_to_your_cacerts_file);` or configure a truststore for a specific connection loading keystore dinamically. See http://stackoverflow.com/a/859271/6371459 — pedrofb, Jan 25 '17 at 18:39
@pedrofb Thanks. Your solution is correct. I just need to add two lines of code: `System.setProperty("javax.net.ssl.trustStore", trustStorePath); System.setProperty("javax.net.ssl.trustStorePassword", trustStorePassword)`. Please post an answer if you have time and I will accept it. :) — 6324, Jan 27 '17 at 16:44

score 4 · Accepted Answer · edited May 23 '17 at 12:02

Using a custom truststore is a correct option to set the trusted certificates accepted in a SSL connection. You can also set the default trustore using System.setProperty() instead of -D

System.setProperty("javax.net.ssl.trustStore", trustStorePath); 
System.setProperty("javax.net.ssl.trustStorePassword", trustStorePassword)

Alternatively you can configure a truststore for a specific connection loading keystore dinamically. See https://stackoverflow.com/a/859271/6371459

score 0 · Answer 2 · answered Nov 04 '19 at 14:09

0

System.setproperty works, but I think it is better to load the truststore via Java code.

https://stackoverflow.com/a/58695061/1938507

answered Nov 04 '19 at 14:09

Junaed

1,457
13
15

score -1 · Answer 3 · answered Jan 25 '17 at 09:25

-1

Although you should be careful fiddling with JRE installation, you can programmatically install a new cacerts file in the JRE installation with something like:

File from = new File("C:\\Users\\k26342\\Downloads\\cacerts");
File to = new File(System.getProperty("java.home") + File.separator + "lib" + File.separator + "security" + File.separator + "cacerts");
Files.copy(from, to);

Note 1: It is recommended to backup the original cacerts file first.

Note 2: There can be security constraints stopping you from above if you are not running the code as administrator.

answered Jan 25 '17 at 09:25

holmis83

15,922
5
82
83

1

I disagree with this option. In addition to the problems you mention **you may be affecting other applications and causing a security issue**. You also do not know if `java.home` is pointing to tomcat's JDK. And changes will occur after the next start – pedrofb Jan 25 '17 at 11:31
@pedrofb Agree it is not best practice, but OP did not want to use `-D` argument or one of the linked solutions. – holmis83 Jan 25 '17 at 16:11
I did not see _It did work_. In any case OP it is not pointing in the right direction. – pedrofb Jan 25 '17 at 18:36
This looks like a bad idea – aliopi Apr 25 '17 at 14:00

Programmatically add cacerts file to truststore

3 Answers3