Cryptography - Java cacerts truststore (CA Certificates)

> Software Security > Cryptography - Key

1 - About

cacerts is the default truststore of Java. It comes with a Java Installation.

It's in the jks format and contains CA certificate.

If your server’s certificate is signed by a recognized CA, the default truststore (cacerts) that ships with the JRE will already trust it (because it already trusts trustworthy CAs)

TrustStore stores certificates from third party, your Java application communicate or certificates signed by CA which can be used to identify third party.

3 - Management

3.1 - Create

You can create one yourself if you want

Example with a webserver

openssl s_client -host clus-spark-01.azurehdinsight.net -port 443 -prexit -showcerts
  • Save them all in a pem format.
  • The first one:
azurehdinsight.pem
-----BEGIN CERTIFICATE-----
MIIG1TCCBL2gAwIBAgITIAABdukfXmP/dh8aPQAAAAF26TANBgkqhkiG9w0BAQsF
ADCBizELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT
B1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEVMBMGA1UE
CxMMTWljcm9zb2Z0IElUMR4wHAYDVQQDExVNaWNyb3NvZnQgSVQgVExTIENBIDIw
HhcNMTcxMTI4MjE1MTIwWhcNMTkxMTI4MjE1MTIwWjAfMR0wGwYDVQQDDBQqLmF6
dXJlaGRpbnNpZ2h0Lm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AKlgE0ch/L5XkptY5b63FYGrbtRFX2ba+yinrkx1wWzppQdYYP7p/myrUiMj39XX
IqvHZJKkvWAGncnkWVitbmKcQhibQ61rLdq90nTxmzPa6DrwFQv/WetBj3XZ7PtC
QA0/oOHi3Xo4my8vR8NLimLx4MQWG3pZSbiAu0dOoPO8Vw/kNdu/xB9z2BXC4aQe
OEXw0c+aVSPnegOrRDAX7Ek8C0NX2LLTgPLr/AwgwJqeajahOXWZRspcl0wfSKFu
uoXPjsLimSWDf5ekX8zxRNhigEW92zNncpXjUbf0AZEbt9rzrm8UuD9FsswsDkzw
HEi5FTvjtJzwaR6L7g3LfoMCAwEAAaOCApswggKXMAsGA1UdDwQEAwIEsDAdBgNV
HSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYDVR0OBBYEFJ+tiXWPm7izii69
KjlOOaeRcKaCMDoGA1UdEQQzMDGCFCouYXp1cmVoZGluc2lnaHQubmV0ghkqLmFw
cHMuYXp1cmVoZGluc2lnaHQubmV0MB8GA1UdIwQYMBaAFJGeO0RsPVecQncqNNdP
0cxKlyzaMIGsBgNVHR8EgaQwgaEwgZ6ggZuggZiGS2h0dHA6Ly9tc2NybC5taWNy
b3NvZnQuY29tL3BraS9tc2NvcnAvY3JsL01pY3Jvc29mdCUyMElUJTIwVExTJTIw
Q0ElMjAyLmNybIZJaHR0cDovL2NybC5taWNyb3NvZnQuY29tL3BraS9tc2NvcnAv
Y3JsL01pY3Jvc29mdCUyMElUJTIwVExTJTIwQ0ElMjAyLmNybDCBhQYIKwYBBQUH
AQEEeTB3MFEGCCsGAQUFBzAChkVodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtp
L21zY29ycC9NaWNyb3NvZnQlMjBJVCUyMFRMUyUyMENBJTIwMi5jcnQwIgYIKwYB
BQUHMAGGFmh0dHA6Ly9vY3NwLm1zb2NzcC5jb20wPgYJKwYBBAGCNxUHBDEwLwYn
KwYBBAGCNxUIh9qGdYPu2QGCyYUbgbWeYYX062CBXYTS30KC55N6AgFkAgEaME0G
A1UdIARGMEQwQgYJKwYBBAGCNyoBMDUwMwYIKwYBBQUHAgEWJ2h0dHA6Ly93d3cu
bWljcm9zb2Z0LmNvbS9wa2kvbXNjb3JwL2NwczAnBgkrBgEEAYI3FQoEGjAYMAoG
CCsGAQUFBwMCMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4ICAQBPsHw51ZbS
z7q9w04uhSI1LzVJ+Nc+mde91XU9BJUEYv7OnXozWDIFsCLDFIushKBKRa+jxTl+
bQIcDLHLCzfcCnq36ypP0OrUnZSsBnSDN5f9T3+recwKkFDhuyWqRsgw5N4T8Boo
SARp3mnGhcMVx8z7vEzMuHrb/RelKVNExdFFtDdUGZ0kWpJm8rsaiXlL6Y+xXovo
xDT3JzI1tiYhPewKfsPC4Bskp1KMlxFmaLa77UhnmaTXOeXp0yGYILoJXPUeR8LY
y7XIYDCrjjq4uUtg/52E4YE2BykxN/Cr1RF0QzLxeBpDj8NVEC2tUHdcP0XkURDe
KBZmz3GZ8iZARJtagYrvmPgh1/6QaMmZkbU2wkm1g6ifJfP61qRLfYtMWo4J231L
uf4JFKaE/SiTLCkyB+kt5Q9bfXyM2AUwHH5o/z2g0jqN4vLCvtHQFzVjIemP2JFn
BXUlhuzUNuFg+5JpWr++ggPCpora2iwvgDVwnxuEi8Ku4WIBOCxOWIXAKwNcoA3/
cgGL5BxFmKIQsprdK9MQ3J3pshFrOk8gGjsyvF2+7QFkY8+w5PC7IDGOfQU3IUj3
pge6KDzYzuD3KoXoJkYBxsvN79muA9B1LF24saHlFXrEF7zJmjbPfMFAirFUe2wK
+n1AsZoRnNL8/kZRdquBV2pPpW5oa1ezxg==
-----END CERTIFICATE-----
  • The second one:
msft.pem
-----BEGIN CERTIFICATE-----
MIIFtDCCBJygAwIBAgIQDywQyVsGwJN/uNRJ+D6FaTANBgkqhkiG9w0BAQsFADBa
MQswCQYDVQQGEwJJRTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJl
clRydXN0MSIwIAYDVQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTE2
MDUyMDEyNTE1N1oXDTI0MDUyMDEyNTE1N1owgYsxCzAJBgNVBAYTAlVTMRMwEQYD
VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy
b3NvZnQgQ29ycG9yYXRpb24xFTATBgNVBAsTDE1pY3Jvc29mdCBJVDEeMBwGA1UE
AxMVTWljcm9zb2Z0IElUIFRMUyBDQSAyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A
MIICCgKCAgEAnqoVwRuhY1/mURjFFrsR3AtNm5EKukBJK9zWBgvFd1ksNEJFC06o
yRbwKPMflpW/HtOfzIeBliGk57MwZq18bgASr70sPUWuoD917HUgBfxBYoF8zA7Z
Ie5zAHODFboJL7Fg/apgbQs/GiZZNCi0QkQUWzw0nTUmVSNQ0mz6pCu95Dv1WMsL
GyPGfdN9zD3Q/QEDyJ695QgjRIxYA1DUE+54ti2k6r0ycKFQYkyWwZ25HD1h2kYt
3ovW85vF6y7tjTqUEcLbgKUCB81/955hdLLsbFd6f9o2PkU8xuOc3U+bUedvv6Sb
tvGjBEZeFyH8/CaQhzlsKMH0+OPOFv/bMqcLarPw1V1sOV1bl4W9vi2278niblzI
bEHt7nN888p4KNIwqCcXaGhbtS4tjn3NKI6v1d2XRyxIvCJDjgoZ09zF39Pyoe92
sSRikZh7xns4tQEQ8BCs4o5NBSx8UxEsgyzNSskWGEWqsIjt+7+A1skDDZv6k2o8
VCHNbTLFKS7d72wMI4ErpzVsBIicxaG2ezuMBBuqThxIiJ+G9zfoP9lxim/9rvJA
xbh3nujA1VJfkOYTJIojEAYCxR3QjEoGdapJmBle97AfqEBnwoJsu2wav8h9v+po
DL4h6dRzRUxY1DHypcFlXGoHu/REQgFLq2IN30/AhQLN90Pj9TT2RQECAwEAAaOC
AUIwggE+MB0GA1UdDgQWBBSRnjtEbD1XnEJ3KjTXT9HMSpcs2jAfBgNVHSMEGDAW
gBTlnVkwgkdYzKz6CFQ2hns6tQRN8DASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1Ud
DwEB/wQEAwIBhjAnBgNVHSUEIDAeBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUF
BwMJMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGln
aWNlcnQuY29tMDoGA1UdHwQzMDEwL6AtoCuGKWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0
LmNvbS9PbW5pcm9vdDIwMjUuY3JsMD0GA1UdIAQ2MDQwMgYEVR0gADAqMCgGCCsG
AQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA0GCSqGSIb3DQEB
CwUAA4IBAQBsf+pqb89rW8E0rP/cDuB9ixMX4C9OWQ7EA7n0BSllR64ZmuhU9mTV
2L0G4HEiGXvOmt15i99wJ0ho2/dvMxm1ZeufkAfMuEc5fQ9RE5ENgNR2UCuFB2Bt
bVmaKUAWxscN4GpXS4AJv+/HS0VXs5Su19J0DA8Bg+lo8ekCl4dq2G1m1WsCvFBI
oLIjd4neCLlGoxT2jA43lj2JpQ/SMkLkLy9DXj/JHdsqJDR5ogcij4VIX8V+bVD0
NCw7kQa6Ulq9Zo0jDEq1at4zSeH4mV2PMM3LwIXBA2xo5sda1cnUWJo3Pq4uMgcL
e0t+fCut38NMkTl8F0arflspaqUVVUov
-----END CERTIFICATE-----
  • Then import them
keytool -import -alias hdinsight -file hdinsight.pem -keystore trust.jks -noprompt -storepass 123456
keytool -import -alias msft -file msft.pem -keystore trust.jks -noprompt -storepass 123456
Certificate was added to keystore
Advertising