Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to view and edit cacerts file?

Using RAD 8.5 with WAS 8.5 runtime, I am getting an exception on my console:

The keystore located at "C:\IBM\Websphere85\jdk\jre\lib\security\cacerts" failed to load due to the following error: DerInputStream.getLength(): lengthTag=109, too big..

After searching for the error I got this link which suggests to edit the file and remove blank lines/extra characters.

How do I edit the file? I am on windows environment and the file seems to be base64 encoded.

like image 685
Prince Avatar asked Nov 26 '13 17:11

Prince


People also ask

What is the content of cacerts?

The cacerts file is a collection of trusted certificate authority (CA) certificates. Sun Microsystems™ includes a cacerts file with its SSL support in the Java™ Secure Socket Extension (JSSE) tool kit and JDK 1.4. x. It contains certificate references for well-known Certificate authorities, such as VeriSign™.


2 Answers

As far as the original question, you can use the keytool command to view and edit a keystore like cacerts.

To view all keys in the keystore, use keytool -list:

$ keytool -list -keystore ${keystore.file}

where ${keystore.file} is the path to the cacerts file, in your case C:\IBM\Websphere85\jdk\jre\lib\security\cacerts.

To remove a specific key, use keytool -delete:

$ keytool -delete -alias ${cert.alias} -keystore ${keystore.file}

where ${cert.alias} is an existing key alias from the above -list command. *

To add a new key that was already generated elsewhere, use keytool -importcert:

$ keytool -importcert -alias ${cert.alias} -keystore ${keystore.file} -file ${cer.file} 

where ${cer.file} is the path to an existing certificate or certificate chain.

Note that with each of these commands, you will be prompted for the keystore password which you can instead specify with the -storepass option. For example:

$ keytool -delete -noprompt -alias ${cert.alias} -keystore ${keystore.file} -storepass ${keystore.pass}

* The ${cert.alias} is the left-most value in the lines outputted from keytool -list.

For example, if this is the ouput from keytool -list:

$ keytool -list -keystore ./cacerts
Enter keystore password:  

Keystore type: jks
Keystore provider: SUN

Your keystore contains 2 entries

verisignclass1ca, Jun 29, 1998, trustedCertEntry,
    Certificate fingerprint (MD5): 51:86:E8:1F:BC:B1:C3:71:B5:18:10:DB:5F:DC:F6:20
verisignserverca, Jun 29, 1998, trustedCertEntry,
    Certificate fingerprint (MD5): 74:7B:82:03:43:F0:00:9E:6B:B3:EC:47:BF:85:A5:93

then verisignclass1ca and verisignserverca are aliases you can specify to delete.

like image 98
Brandon Essler Avatar answered Oct 26 '22 08:10

Brandon Essler


Here's a way to actually solve this problem without the need to view or edit the file.

The default keyStore type is JKS and the WSKeyStore class assumes it to be a PKCS12 file which throws the above error. So we need to convert the cacerts file to .p12 format.

Using the keytool utility from command line I executed:

C:\IBM\WebSphere85\AppServer\java\bin>keytool -importkeystore ^
 -srckeystore C:\IBM\WebSphere85\AppServer\java\jre\lib\security\cacerts ^
 -destkeystore C:\IBM\WebSphere85\AppServer\java\jre\lib\security\cacerts.p12 ^
 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass changeit -deststorepass changeit -noprompt

which gave me a cacerts.p12 file which could be easily read by the above class.

References:

  • IBM Error
  • Stackoverflow: convert .jks to .p12
like image 41
Prince Avatar answered Oct 26 '22 09:10

Prince