Adding a web-server’s certificate to Java’s keystore

When you try to connect a secured website, you will need the server’s certificate within the keystore of Java. If you don’t have it, you will get a sun.security.provider.certpath.SunCertPathBuilderException because of an invalid handshake between server and client.

To solve that task, you can get the certificate from a webbrowser (like FireFox). Open the page security properties and export the certificate as *.PEM (Base64 encoded DER certificate) without the certification authorities. Store the file into your filesystem on <cert-path>.

Check your Java installation and login as user, which has write access to <java>/lib/security/cacerts.

Execute
keytool -import -file <cert-path> -alias <cert-name> -keystore <java>/lib/security/cacerts

The <cert-path> is the path to your saved certificate, <cert-name> is an alias for the certificate, you can use the webserver’s domain. The default password of the keystore cacerts is changeit
You will get the information about the certificate and at the end answer the question with yes.

If you have already used the alias within the keystore (i.e. with an old certificate), you can use

keytool -delete -alias <cert-name> -keystore <java>/lib/security/cacerts

to remove the old certificate.

Now, the Java application is able to connect the secured website. Double-check the used installation, sometimes your application uses its own JRE or another version on your filesystem.

Leave a Reply