Importing certificates into keystores


Import Root and Intermediate Certificate into Java TrustStore

For certain constellations, for example when connecting to an LDAP server, it may be necessary to import the root certificate or the root and intermediate certificates used to create the other server's certificate into the Java TrustStore.

Java TrustStore

The Java TrustStore contains all root certificates trusted by a Java installation. It should be noted that for systems with multiple Java versions installed, the TrustStore of the Java used by the application server running Xima® Formcycle is used. For example, a full path might look like this: 

"C:\Program Files\AdoptOpenJDK\jdk-11.0.9.101-hotspot\lib\security\cacerts"

It should also be noted that the path can be significantly different depending on the operating system environment and the installation type of the Java used. Particularly under Linux, the Java installation folder sometimes only refers to the real location of the TrustStore with a symbolic link. The file name of the TrustStore is usually cacerts.

Unless the password has been changed, the default password changeit is used for the Java TrustStore in most environments.

The following section discusses two ways in which root and intermediate certificates can be imported into the TrustStore of a Java installation.

Import with keytool

For this the tool keytool is used, which is normally provided by the used Java installation in the bin directory. 

When the tool is called, the following parameters are used, which must be adapted to the specific environment:

"Alias name of the certificate"
Alias used in the TrustStore for the certificate. This can be freely selected, but there must not already be another certificate with the same alias in the TrustStore. 
"certificate.cer"
Name of (and if necessary path to) the certificate to import
"Path-to-certificate-store"
Full path to the Java TrustStore

Der auszuführende Befehl lautet:

keytool -importcert -trustcacerts -alias "Alias name of the certificate" -file "certificate.cer" -keystore "Path-to-certificate-store"

Import with KeyStore Explorer

The KeyStore Explorer is a graphical tool running under Java for creating and editing keystores of various types. It should be noted that the KeyStore Explorer must be started with sufficient rights to have read and write access to the TrusStore. After the KeyStore Explorer has been started, the following steps must be performed:

First, the TrustStore must be opened in KeyStore Explorer. This is done via the button Open an existing KeyStore:

TrustStore_KeyStore_Explorer_en_1.png

In the dialog that opens, the TrustStore to be used must be selected. Then another dialog opens in which the password of the TrustStore must be entered:

TrustStore_KeyStore_Explorer_en_2.png

Subsequently, a list with all certificates contained in the TrustStore is displayed in KeyStore Explorer. Now click on Tools   Import Trusted Certificate in the menu and select the certificate to be imported in the dialog that then opens:

TrustStore_KeyStore_Explorer_en_3.png

A dialog then opens in which the alias name must be entered under which the certificate will be stored in the TrustStore, whereby the essential requirement for this alias is that there is not already another certificate in the TrustStore that uses the same alias:

TrustStore_KeyStore_Explorer_en_4.png

After that, the message should appear that the certificate has been imported successfully. Now the changes to the TrustStore only have to be saved, which is done via the Save icon in the interface or via the menu under File   Save. If it turns out at this point that the KeyStore Explorer does not have write permissions for the TrustStore, it can first be saved to a different location using the File   Save As menu option and then manually moved to the correct location by a user with the appropriate permissions.

Import of intermediate certificates

If the certificate to be trusted was issued via an intermediate certificate, this may also have to be imported. This is necessary if this intermediate certificate is not provided by the server with which the connection is to be established. The import is performed in the same way as for the root certificate with the above instructions and correspondingly adapted parameters for alias and the file name or path of the intermediate certificate.