How do I find out what keystore my JVM is using?

Question

I need to import a certificate into my JVM keystore. I am using the following:

keytool -import -alias daldap -file somecert.cer

so I would need to probably change my call into something like:

keytool -import -alias daldap -file somecert.cer -keystore cacerts –storepass changeit

You need to import a certificate into your JVM *truststore,* unless its a signed CSR, in which case you should be importing it into your *own* keystore, and you must already know where that is, otherwise you wouldn't have been able to generate the keypair or the CSR. — user207421, Aug 29 '14 at 06:39

kosa · Answer 1 · 2014-11-13T17:15:21.337

159

Your keystore will be in your JAVA_HOME---> JRE -->lib---> security--> cacerts. You need to check where your JAVA_HOME is configured, possibly one of these places,

Computer--->Advanced --> Environment variables---> JAVA_HOME
Your server startup batch files.

In your import command -keystore cacerts (give full path to the above JRE here instead of just saying cacerts).

edited Nov 13 '14 at 17:15

answered Jan 24 '12 at 00:14

kosa

65,990
13
130
167

8

/Library/Java/Home/lib/security/cacerts on Mac OS X 10.9 – Sam Barnum Jun 12 '14 at 18:19
13

* "JAVA_HOME---> JRE -->lib---> security--> cacerts" Note the "s" at the end, just for any future readers. – Keir Nellyer Jul 27 '14 at 19:15
5

So if I install a new version of Java, and JAVA_HOME is pointing to a new directory, am I going to have certificate issues? – Kirill Yunussov Dec 15 '15 at 16:25
1

@KirillYunussov: If you have installed any certs to old JRE, then you need to import same certs to new JRE too. – kosa Dec 15 '15 at 16:46
How to check JAVA_HOME for linux machine ? – Murphy Jul 22 '16 at 18:47
1

@Murphy : This might help you http://stackoverflow.com/questions/5251323/where-can-i-find-the-java-sdk-in-linux – kosa Jul 22 '16 at 20:42
7

this is trust store location rather than key store location I think. – user2001850 Feb 23 '17 at 23:18
2

/usr/lib/jvm//jre/lib/security/cacerts on Ubuntu and other Debian-based systems – Tadhg May 05 '17 at 15:37
On Ubuntu, running `echo $JAVA_HOME` with root prints me nothing. – Gergely Lukacsy Aug 03 '23 at 15:19

dbrin · Answer 2 · 2022-04-04T19:59:28.007

Keystore Location

Each keytool command has a -keystore option for specifying the name and location of the persistent keystore file for the keystore managed by keytool. The keystore is by default stored in a file named .keystore in the user's home directory, as determined by the "user.home" system property. Given user name uName, the "user.home" property value defaults to

C:\Users\uName on Windows 7 systems
C:\Winnt\Profiles\uName on multi-user Windows NT systems
C:\Windows\Profiles\uName on multi-user Windows 95 systems
C:\Windows on single-user Windows 95 systems

Thus, if the user name is "cathy", "user.home" defaults to

C:\Users\cathy on Windows 7 systems
C:\Winnt\Profiles\cathy on multi-user Windows NT systems
C:\Windows\Profiles\cathy on multi-user Windows 95 systems

https://docs.oracle.com/en/java/javase/17/docs/specs/man/keytool.html#importing-a-certificate-for-the-ca

I've been searching for this mystery `~/.keystore` file! If I left off the `-keystore` parameter, I couldn't figure out which default keystore `keytool` targeting. I kept looking for other `cacerts` somewhere else on the machine. I didn't expect keytool to generate `~/.keystore` in the home directory, nor for it to be named `.keystore` instead of `cacerts`. You've filled in a blank that the Java folks should document! Thank you! — George Pantazes, Dec 13 '18 at 22:40

score 30 · Answer 3 · answered Nov 02 '16 at 00:25

Mac OS X 10.12 with Java 1.8:

$JAVA_HOME/jre/lib/security

cd $JAVA_HOME

/Library/Java/JavaVirtualMachines/jdk1.8.0_40.jdk/Contents/Home

From there it's in:

./jre/lib/security

I have a cacerts keystore in there.

To specify this as a VM option:

-Djavax.net.ssl.trustStore=/Library/Java/JavaVirtualMachines/jdk1.8.0_40.jdk/Contents/Home/jre/lib/security/cacerts -Djavax.net.ssl.trustStorePassword=changeit

I'm not saying this is the correct way (Why doesn't java know to look within JAVA_HOME?), but this is what I had to do to get it working.

score 24 · Answer 4 · edited Oct 28 '18 at 06:58

24

You can find it in your "Home" directory:

On Windows 7:

C:\Users\<YOUR_ACCOUNT>\.keystore

On Linux (Ubuntu):

/home/<YOUR_ACCOUNT>/.keystore

edited Oct 28 '18 at 06:58

Diptangsu Goswami

5,554
3
25
36

answered Nov 11 '13 at 03:35

Evans Y.

4,209
6
35
43

5

i don't have this directory on windows – simgineer Nov 28 '13 at 00:42
1

I did a -keygen without specifying a keystore, expecting it to create one in the current directory, but it created it in my home as you said. ~/.keystore Couldn't find it for ages! :-) Thanks. – Eurospoofer Feb 08 '17 at 20:54
let me add that under cygwin the windows path is used since the java property `user.home` is equal to `$HOMEDRIVE$HOMEPATH` set by windows and not on `$HOME` set by cygwin where `HOMEDRIVE=C:` and `HOMEPATH=\Users\[YOUR ACCOUNT]` – user1708042 Aug 10 '17 at 14:00
Are you 100pct sure ***JVM*** does read these? – Jaroslav Záruba Aug 18 '21 at 08:57
this isn't true on my ubuntu – johannes_lalala Apr 14 '22 at 08:47

ceving · Answer 5 · 2012-12-12T13:29:37.317

This works for me:

#! /bin/bash

CACERTS=$(readlink -e $(dirname $(readlink -e $(which keytool)))/../lib/security/cacerts)

if keytool -list -keystore $CACERTS -storepass changeit > /dev/null ; then
    echo $CACERTS
else
    echo 'Can not find cacerts file.' >&2
    exit 1
fi

Only for Linux. My Solaris has no readlink. In the end I used this Perl-Script:

#! /usr/bin/env perl
use strict;
use warnings;
use Cwd qw(realpath);
$_ = realpath((grep {-x && -f} map {"$_/keytool"} split(':', $ENV{PATH}))[0]);
die "Can not find keytool" unless defined $_;
my $keytool = $_;
print "Using '$keytool'.\n";
s/keytool$//;
$_ = realpath($_ . '../lib/security/cacerts');
die "Can not find cacerts" unless -f $_;
my $cacerts = $_;
print "Importing into '$cacerts'.\n";
`$keytool -list -keystore "$cacerts" -storepass changeit`;
die "Can not read key container" unless $? == 0;
exit if $ARGV[0] eq '-d';
foreach (@ARGV) {
    my $cert = $_;
    s/\.[^.]+$//;
    my $alias = $_;
    print "Importing '$cert' as '$alias'.\n";
    `keytool -importcert -file "$cert" -alias "$alias" -keystore "$cacerts" -storepass changeit`;
    warn "Can not import certificate: $?" unless $? == 0;
}

This helped me to find a new key store that I wasn't aware of. Thank you — smido, Jan 10 '22 at 14:59

score 11 · Answer 6 · answered Apr 25 '19 at 01:27

11

On Debian, using openjdk version "1.8.0_212", I found cacerts here:

 /etc/ssl/certs/java/cacerts

Sure would be handy if there was a standard command that would print out this path.

answered Apr 25 '19 at 01:27

Patrick Beard

592
6
11

this is the path too in Alpine Linux - `keytool -list -cacerts` to show the certs – Stuart Cardall Jul 03 '23 at 20:34

score 7 · Answer 7 · edited Dec 06 '13 at 10:51

7

As DimtryB mentioned, by default the keystore is under the user directory. But if you are trying to update the cacerts file, so that the JVM can pick the keys, then you will have to update the cacerts file under jre/lib/security. You can also view the keys by executing the command keytool -list -keystore cacerts to see if your certificate is added.

edited Dec 06 '13 at 10:51

MADHAIYAN M

2,028
25
22

answered Jul 05 '12 at 17:50

Sharan Rajendran

3,549
2
19
6

Nice to know that the keytool command adds the correct `lib/security` path automatically if given only the relative name. – ceving Dec 05 '12 at 13:58
2

But this will not work for `-importcert`. The list command shows the system wide certificates but the import command generates a new file in the current directory. – ceving Dec 05 '12 at 14:14
1

`updatedb; locate cacerts` helps for finding where the install locations of th e cacerts files are. – sjas Mar 26 '15 at 11:17

score 5 · Answer 8 · answered Aug 28 '19 at 08:48

5

For me using the official OpenJDK 12 Docker image, the location of the Java keystore was:

/usr/java/openjdk-12/lib/security/cacerts

answered Aug 28 '19 at 08:48

jonashackt

12,022
5
67
124

3

That's a truststore, not a keystore. – user207421 Aug 28 '19 at 09:04
3

First: If you read the question carefully (and your own comment), it sounds more like a Truststore, where a cert should be imported. Second, the difference between the Truststore and Keystore is quite disorienting - and both use the term "Keystore" btw, since they use the format both. Third: If you have a look at the import command `keytool -import -file example.crt -alias exampleCA -keystore truststore.jks` you also use the parameter `-keystore`... quite unclear IMHO. And last but not least: I was searching about that exact problem - and found that so question. Maybe others exp the same. – jonashackt Oct 02 '19 at 12:05
Furthermore all other answers also refer to the so called "Truststore" the JDK uses to validate. So did you also downvote all the other answers as well? I already received an upvote, so there's already somebody my answer helped out. – jonashackt Oct 02 '19 at 12:11

score 0 · Answer 9 · answered Oct 26 '15 at 13:06

We encountered this issue on a Tomcat running from a jre directory that was (almost fully) removed after an automatic jre update, so that the running jre could no longer find jre.../lib/security/cacerts because it no longer existed.

Restarting Tomcat (after changing the configuration to run from the different jre location) fixed the problem.

score 0 · Answer 10 · answered Mar 04 '19 at 21:17

0

In addition to all answers above:

If updating the cacerts file in JRE directory doesn't help, try to update it in JDK.

C:\Program Files\Java\jdk1.8.0_192\jre\lib\security

answered Mar 04 '19 at 21:17

VSh

438
4
13

How do I find out what keystore my JVM is using?

10 Answers10

Linked