Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What format is java's cacerts format expected to be?

Tags:

java

ssl

pki

I'm slightly confused about cacerts formats. An application I use recently had to upgrade it's cacerts file. The original cacerts file was pk12 format (I assume, it's binary), while the new format is clearly pem. I can use either cacert, but when I suggested someone having trouble with authentication upgrade to the new cacert he gets complaints because it is not a pk12 format.

What file format should cacert's be? can it be either format? Does something configure/define which format it should expect?

like image 508
dsollen Avatar asked Dec 12 '14 19:12

dsollen


People also ask

What format is cacerts file?

Oracle includes a cacerts file with its SSL support in the Java™ Secure Socket Extension (JSSE) tool kit and JDK. It contains certificate references for well-known Certificate authorities, such as VeriSign™. Its format is the "keystore" format defined by Oracle.

Is cacerts a jks file?

The cacerts file represents a system-wide keystore with CA certificates. System administrators can configure and manage that file using keytool, specifying jks as the keystore type. The cacerts keystore file ships with several root CA certificates.

Is cacerts a Truststore or keystore?

'cacerts' is a truststore. A trust store is used to authenticate peers. A keystore is used to authenticate yourself.


2 Answers

On any normal Oracle Java installation (before Java 9, this is an old answer), cacerts should be a proprietary, binary, JKS key store type. I've checked this against 1.8.0_20. From 9 onwards it is replaced by a binary PKCS#12 key store (or rather, trusted certificate store).

To be sure you may use file cacerts on GNU systems (Linux). If you have something different you may have a different JRE or the cacerts file is replaced.

You can manage the contents of cacerts using the keytool command delivered with the JDK.

Note that the key store that contains the private key(s) for authentication usually is a PKCS#12 key store.

like image 185
Maarten Bodewes Avatar answered Sep 18 '22 13:09

Maarten Bodewes


Perhaps this might help others with similar searches: I was trying to find the default list of trusted certificate authorities for the Java Runtime Environment because we wanted to install an SSL certificate into Tomcat. Had to finally remove oracle site from google searches and found this method to parse the binary file for the list. Good luck finding it at Oracle.com!

http://www.herongyang.com/PKI/HTTPS-Java-Default-Trusted-KeyStore-File-cacerts.html

<java jre directory>\bin\keytool -list -keystore cacerts -storepass changeit

Or you could do it the easy way by clicking the "system" tab when checking the java control panel - security - certificates

like image 23
PBSLuvr Avatar answered Sep 17 '22 13:09

PBSLuvr