How to Import a Trusted Certificate into the Package Keystore (pkgadm addcert) (System Administration Guide: Basic Administration)

System Administration Guide: Basic Administration

Previous: Managing Software With the Solaris Product Registry Command-Line Interface (Task Map)
Next: How to Display Certificate Information (pkgadm listcert)

How to Import a Trusted Certificate into the Package Keystore (`pkgadm addcert`)

Become superuser or assume an equivalent role.

Verify that the Root CA certificate exists in the Java keystore.

# keytool -storepass storepass -list -keystore certfile

`keytool`	Manages a Java keystore (database) of private keys and their associated X.509 certificate chains that authenticate the corresponding public keys. Also manages certificates from trusted entities. For more information on the `keytool` command, see keytool-Key and Certificate Management Tool.
`-storepass` `storepass`	Specifies the password that protects the integrity of the Java keystore.
`-list`	By default, prints the MD5 fingerprint of a certificate.
`-keystore` `certfile`	Specifies the name and location of the persistent Java keystore file.

Export the Root CA certificate from the Java keystore to a temporary file.

# keytool -export -storepass storepass -alias gtecybertrustca -keystore 
gtecybertrustca -keystore /usr/j2se/jre/lib/security/cacerts -file filename

`-export`	Exports the trusted certificate.
`-storepass` `storepass`	Specifies the password that protects the integrity of the Java keystore.
`-alias` `gtecybertrustca`	Identifies the alias of the trusted certificate.
`-keystore` `certfile`	Specifies the name and location of the keystore file.
`-file` filename	Identifies the file to hold the exported certificate.

Import a trusted certificate to the package keystore.

# pkgadm addcert -t -f format certfile

`-t`	Indicates that the certificate is a trusted CA certificate. The command output includes the details of the certificate, which the user is asked to verify.
`-f` `format`	Specifies the format of the certificates or private key. When importing a certificate, it must be encoded using either the PEM (`pem`) or binary DER (`der`) format.
`certfile`	Specifies the file that contains the certificate.

For more information, see the pkgadm man page.

Remove the temporary file.

Example—Importing a Trusted Certificate

The following example shows how to import a trusted certificate. In this example, Sun's Root CA certificate is imported from the Java keystore into the package keystore with the keytool command.

# keytool -export -storepass changeit -alias gtecybertrustca -keystore 
gtecybertrustca -keystore /usr/j2se/jre/lib/security/cacerts -file 
/tmp/root.crt
Certificate stored in file </tmp/root.crt>
# pkgadm addcert -t -f der /tmp/root.crt
Enter Keystore Password: storepass
      Keystore Alias: GTE CyberTrust Root
         Common Name: GTE CyberTrust Root
    Certificate Type: Trusted Certificate
  Issuer Common Name: GTE CyberTrust Root
      Validity Dates:<Feb 23 23:01:00 1996 GMT>-<Feb 23 23:59:00 2006 GMT>
     MD5 Fingerprint: C4:D7:F0:B2:A3:C5:7D:61:67:F0:04:CD:43:D3:BA:58
    SHA1 Fingerprint: 90:DE:DE:9E:4C:4E:9F:6F:D8:86:17:57:9D:D3:91:BC...
Trusting certificate <GTE CyberTrust Root>
Type a Keystore protection Password.
Press ENTER for no protection password (not recommended): xxx
For Verification: Type a Keystore protection Password.
Press ENTER for no protection password (not recommended): xxx
Certificate(s) from </tmp/root.crt> are now trusted
# rm /tmp/root.crt