How to Import a Trusted Certificate into Your Package Keystore (pkgadm addcert) (System Administration Guide: Basic Administration)

System Administration Guide: Basic Administration

How to Import a Trusted Certificate into Your Package Keystore (`pkgadm addcert`)

To add signed patches to your system with the patchadd command, you will need to add Sun's Root CA certificate, at the very least, to verify the signature on your signed patch. You can import this certificate from the Java keystore into the package keystore.

Become superuser or assume an equivalent role.

Export the Root CA certificate from the Java keystore into a temporary file.

For example:

# keytool -export -storepass changeit -alias gtecybertrustca -keystore 
gtecybertrustca -keystore /usr/j2se/jre/lib/security/cacerts -file 
/tmp/root.crt
Certificate stored in file </tmp/root.crt>

`-export`	Exports the trusted certificate.
`-storepass` `storepass`	Specifies the password that protects the integrity of the Java keystore.
`-alias` `gtecybertrustca`	Identifies the alias of the trusted certificate.
`-keystore` `certfile`	Specifies the name and location of the keystore file.
`-file` `filename`	Identifies the file to hold the exported certificate.

Import the Root CA certificate into the package keystore from the temporary file.

For example:

# pkgadm addcert -t -f der /tmp/root.crt
Enter Keystore Password: storepass
      Keystore Alias: GTE CyberTrust Root
         Common Name: GTE CyberTrust Root
    Certificate Type: Trusted Certificate
  Issuer Common Name: GTE CyberTrust Root
      Validity Dates: <Feb 23 23:01:00 1996 GMT>-<Feb 23 23:59:00 ... 
     MD5 Fingerprint: C4:D7:F0:B2:A3:C5:7D:61:67:F0:04:CD:43:D3:BA:58
    SHA1 Fingerprint: 90:DE:DE:9E:4C:4E:9F:6F:D8:86:17:57:9D:D3:91...

Are you sure you want to trust this certificate? yes
Trusting certificate <GTE CyberTrust Root>
Type a Keystore protection Password.
Press ENTER for no protection password (not recommended): 
For Verification: Type a Keystore protection Password.
Press ENTER for no protection password (not recommended): 
Certificate(s) from </tmp/root.crt> are now trusted

`-t`	Indicates that the certificate is a trusted CA certificate. The command output includes the details of the certificate, which the user is asked to verify.
`-f` `format`	Specifies the format of the certificates or private key. When importing a certificate, it must be encoded using either the PEM (`pem`) or binary DER (`der`) format.
`certfile`	Specifies the file that contains the certificate.

Display the certificate information.

For example:

# pkgadm listcert -P pass:storepass
    Keystore Alias: GTE CyberTrust Root
       Common Name: GTE CyberTrust Root
  Certificate Type: Trusted Certificate
Issuer Common Name: GTE CyberTrust Root
    Validity Dates: <Feb 23 23:01:00 1996 GMT>-<Feb 23 23:59:00 2006 GMT>
   MD5 Fingerprint: C4:D7:F0:B2:A3:C5:7D:61:67:F0:04:CD:43:D3:BA:58
  SHA1 Fingerprint: 90:DE:DE:9E:4C:4E:9F:6F:D8:86:17:57:9D:D3:91:
BC:65:A6:89:64

Remove the temporary file.

For example:
# rm /tmp/root.crt