How to add a trusted root certificate to your Java Keystore
Had a small Issue with a few Java apps that I run. The apps connect to MS Exchange and download attachments from emails, send out emails, create calendar entries, etc.
The problem was that this past weekend I updated my Exchange certs to use my Microsoft Certificate Server Certs, which of course, is not part of the default “Trusted Root Cert keystore”, so I had to add it.
So in order to add your MS Root Cert, you need to (By the way, this will work with any other 3rd party CA certs)
- Point your browser to your root certificate server
- Click on the link “Download a CA certificate, certificate chain, or CRL”
- Download the CA cert (DER format is fine)
(I saved the CA certificate as “C:\certnew.cer”, remember the location because you will need it in for the import command)
- Open up a command windows and type the following command
C:\Java\jre1.5.0_06\bin\keytool.exe -import -keystore C:\Java\jre1.5.0_06\lib\security\cacerts -file “C:\certnew.cer”
When it prompts for a password, enter your keystore password (note that in this example im using the default password for java keystores which is “changeit”)
The output of the command should look like this
1234567891011C:\Java\jre1.5.0_06\bin\keytool.exe -import -keystore C:\Java\jre1.5.0_06\lib\security\cacerts -file "C:\certnew.cer" Enter keystore password: changeit (this is the default password for keystores) Owner: CN=Certs, DC=pinchii, DC=com Issuer:CN=Certs, DC=pinchii, DC=comSerial number: 7f0000000000000000000052f8702fa0Valid from: Wed Aug 04 10:39:12 EDT 2010until: Tue Aug 04 10:46:24 EDT 2020 Certificate fingerprints:MD5: 16:00:EC:00:6F:00:23:00:36:00:D1:00:8E:00:60:00SHA1: 1F:00:B4:00:38:00:BB:00:FB:00:0F:00:46:00:B1:00:41:00:9F:00Trust this certificate? [no]: yesCertificate was added to keystore
- Test out your java application now, you should be OK with certificates signed by your Microsoft Root Certificate Server from now on.