32

I am adding a cert to the Java keystore and I get the following warning. The command is successful. 

keytool -import -trustcacerts -keystore /usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts -storepass changeit -noprompt -alias my_root_ca.pem -file /usr/share/ca-certificates/foo/my_root_ca.pem

The warning is:

Warning: use -cacerts option to access cacerts keystore

How do I get rid of this warning?

Thanks

Vijay Kumar
  • 2,439
  • 2
  • 32
  • 51

1 Answers1

45

It's quite easy. If you check keytool manual you can see the following:

$ keytool -importcert -help
keytool -importcert [OPTION]...

Imports a certificate or a certificate chain

Options:

 ... removed for clearity
 -cacerts                access the cacerts keystore

To get rid of that warning you must use -cacerts option instead of calling cacert keystore:

keytool -import -trustcacerts -cacerts -storepass changeit -noprompt -alias my_root_ca.pem -file /usr/share/ca-certificates/foo/my_root_ca.pem
72er
  • 5
  • 3
Lasneyx
  • 2,110
  • 2
  • 17
  • 21
  • this is the correct answer, feel free to accept it. – Ghiro Mar 26 '20 at 17:19
  • 2
    In the java 11, isn't possible to use `-keystore` and `-storetype` when is usign `-cacerts` – Paulo Mateus Jun 02 '20 at 22:00
  • 7
    Like @PauloMateus said, I'm using Java 11 and needed to remove the `-keystore` argument to use `-cacerts` --> `$JAVA_HOME/bin/keytool -list -v -cacerts -storepass changeit` – u8it Jul 10 '20 at 15:39
  • 6
    Just a note as context: `-cacerts` option for `-importcert` was introduced in Java 9. – George Pantazes Aug 11 '20 at 13:38
  • 2
    it's unclear to me *which* "the" cacerts store is accessed (managing a build server with multiple java JDKs: 8, 9, 11, 17). Is it cacerts from system %JAVA_HOME%? or the cacerts from the current folder? or the cacerts in the same java-dir as the current keytool version? Even the [official documentation](https://docs.oracle.com/en/java/javase/17/docs/specs/man/keytool.html) is not helpful which is "*THE*" cacerts. So, I kept using the `-keystore` option, despite the warning, to be certain. – Jules Kerssemakers Jun 29 '22 at 12:28
  • 1
    The documentation says:
    The cacerts Certificates File A certificates file named cacerts resides in the security properties directory: Oracle Solaris, Linux, and OS X:: JAVA_HOME /lib/security Windows: java.home\lib\security java.home is the runtime environment directory, which is the jre directory in the JDK or the top-level directory of the Java Runtime Environment (JRE).'     – Sweder Schellens Jul 29 '22 at 09:36