Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

while importing a certificate with keytool , Why to use trustcacerts option

Tags:

ssl

keytool -import -trustcacerts

I am confused with this trustcacerts option of keytool

when i googled on this i found out these points

1 .Depending on the situation you may not require the -trustcacerts option. Try the operation without it if you like.

The –trustcacerts argument tells keytool that you want to import this as a trusted certificate.

Use the cacerts file to obtain trusted certificates from certificate autorities that have signed the certificate that is being imported.

At last i found out that , this trustcacerts is optional , but i have got a below query also

generally any Developer/CEO of the website wants that their site to be belived by the Customers , then why do we need to expllicitly specify this with the keytool command ??

Thanks

like image 203
Pawan Avatar asked Oct 17 '11 10:10

Pawan

People also ask

How do I import a certificate from one keystore to another?

The command "importkeystore" is used to import an entire keystore into another keystore, which means all entries from the source keystore, including keys and certificates, are all imported to the destination keystore within a single command. You can use this command to import entries from a different type of keystore.

What is certificate alias?

An alias is specified when you add an entity to the keystore using the -genseckey command to generate a secret key, -genkeypair command to generate a key pair (public and private key) or the -importcert command to add a certificate or certificate chain to the list of trusted certificates.

1 Answers

When you import a certificate other than a self-signed root certificate (e.g. intermediate certificates), keytool tries to build and validate a proper certificate path first.

If you use the trustcacerts parameter, then for building the path, keytool will not only consider the certificates already contained in the trust store, but it will additionally consider the certificates contained in the cacerts key store (this file is located in the lib/security folder of your JRE installation). The certificates in cacerts are a kind of default trust list, the officially trusted root certificates (similar to the lists your browser trusts by default).

The option is not really necessary since you can always force the import for a certificate. It also makes no sense when importing a self-signed root certificate, because no certificate path can be built in this situation - you either trust a root or you don't.

But it may be a nice feature if you know that the imported certificate should be issued by one of the certificates contained in cacerts - keytool would warn you if it still could not build and validate an entire certificate path - which would most likely be a warning that something is not right with the certificate you tried to import.

like image 126
emboss Avatar answered Oct 18 '22 06:10

emboss
Sign in to Comment

Related questions

OpenSSL - error 18 at 0 depth lookup:self signed certificate
ssl.SSLError: tlsv1 alert protocol version
IISExpress cannot find ssl page running localhost with Visual Studio 2013
Pre-master secret mistmatched when implementing Diffie-Hellman key exchange
Does my JDBC connection to the database use SSL or not?
What means "javax.net.ssl.SSLHandshakeException: server certificate change is restrictedduring renegotiation" and how to prevent it?
Should all sites use SSL by default?
NSURLSession "HTTP load failed kCFStreamErrorDomainSSL, -9813 ; Self signing certificate
iOS 9 app download from Amazon S3 SSL error: TLS 1.2 support
HTTPS Proxy Server in node.js
How to specify SSL protocol to use for WebClient class
What causes "Neither PUB key nor PRIV key:: nested asn1 error" when building a public key in ruby?
How to disable HTTP Strict Transport Security?
NodeJS & SSL - "bad password read"
Multiple SSL Certificates in One Heroku Application
How to redirect on the same port from http to https with nginx reverse proxy
Debugging ASP.NET Core applications running in IIS
HTTP error 403.16 - client certificate trust issue
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Facebook JavaScript SDK over HTTPS loading non-secure items

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!