3

I would like to understand the Java runtime's requirement for SSL certificates storage in general. I understand it can be copied to the host's /etc/ssl/certs folder but for Java, does it need to import to a specific Keystore for a runtime to be able to use and consume in any SSL verification process by the application? E.g. If I have a JRE client that requires packaging of a root/intermediate certificates to make web client internally to site1.foo.com, I will need the root and intermediate certificates dependent on the chain to verify the request.

With various other runtime environments, it seems I can just place them in the /etc/ssl/certs folder: NodeJS => How to add custom certificate authority (CA) to nodejs Go => Where is Golang picking up root CAs from?

However, presumably for usage in Java, I need to go an extra step and use keytool and import into a specific Keystore? Presumably, it can't just pick up from a common directory as per above? Hope my question makes sense.

Rubans
  • 4,188
  • 6
  • 40
  • 58
  • Yes. Java requires a keystore. Several different formats are supported including PKCS#12. – user207421 Mar 15 '21 at 23:48
  • 1
    Java doesn't depend on the OS for certificate handling, it has its own list of certified root certificates. They are stored in a file named `cacerts` in the `JRE_HOME/lib/security` folder. – Andreas Mar 16 '21 at 00:36

1 Answers1

2

In Java, collections of certificates are usually accessed through a KeyStore interface.

As remarked in the comments the default SSLContext will read the certificates from a PKCS12 (or JKS) file located in $JRE_HOME/lib/security/cacerts.

However that is not the only possibility and you don't have to call keytool to add trusted certificates:

  • on Debianoids you can use -Djavax.net.ssl.trustStore=/etc/ssl/certs/java/cacerts (cf. this question) to use the the PKCS12 file provided by the ca-certificates-java package. It is updated whenever you call update-ca-certificates. Therefore you just need to add a *.crt file in /usr/local/share/ca-certificates and run update-ca-certificates.

  • if you don't use the default SSLContext you can init it with a different TrustManager (cf. this question). That's how Tomcat 8.5+ loads certificates in PEM format.

Unfortunately there is no implementation of KeyStore that reads certificates from a directory, but that can easily be written.

Edit: On Debianoids the packaged JREs already use /etc/ssl/java/cacerts, so no further configuration is needed.

Piotr P. Karwasz
  • 12,857
  • 3
  • 20
  • 43