How to Import a Trusted Certificate to Your Package Keystore (System Administration Guide: Basic Administration)

System Administration Guide: Basic Administration

How to Import a Trusted Certificate to Your Package Keystore

To apply signed patches to your system by using the patchadd command, you must add Sun's Root CA certificate, at the very least, to verify the signature of your signed patch. You can import this certificate from the Java keystore to the package keystore.

Become superuser or assume an equivalent role.

If you are using the patchadd command to install signed patches, add the new trusted Verisign certificate to the keystore.
1. Download the Class 2 Public Primary Certification Authority - G2 trusted Verisign certificate from http://www.sun.com/pki/certs/ca/.
  
  The Subject Name of this certificate is:
```
C=US, O=VeriSign, Inc., OU=Class 2 Public Primary Certification
Authority - G2, OU=(c) 1998 VeriSign, Inc. - For authorized use only,
OU=VeriSign Trust Network
```
2. Select the binary format (DER encoded).
3. Copy the certificate to the file, /tmp/root.crt.
Note –
In the event you are unable to download the trusted Verisign certificate, see Exporting the Root CA Certificate From the Java Keystore for alternate instructions.

Import the Root CA certificate from the temporary file to the package keystore.

Unless changed by the system administrator, the default Java keystore password is changeit.

For example:

# pkgadm addcert -t -f der /tmp/root.crt
     Keystore Alias: /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O
        Common Name: /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O
   Certificate Type: Trusted Certificate 
Issuer Common Name: /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O
     Validity Dates: <May 18 00:00:00 1998 GMT> - <Aug  1 23:59:59 2028 GMT>
MD5 Fingerprint: 2D:BB:E5:25:D3:D1:65:82:3A:B7:0E:FA:E6:EB:E2:E1
   SHA1 Fingerprint: B3:EA:C4:47:76:C9:C8:1C:EA:F2:9D:95:B6:CC:A0:08:1B:67:EC:9D

Are you sure you want to trust this certificate? yes
Trusting certificate </C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O>
Type a Keystore protection Password. changeit
Press ENTER for no protection password (not recommended):
For Verification: Type a Keystore protection Password.
Press ENTER for no protection password (not recommended):
Certificate(s) from </tmp/root.crt> are now trusted

-t: Indicates that the certificate is a trusted CA certificate. The command output includes the certificate details, which you are asked to verify.
-f format: Specifies the format of the certificate or private key. When importing a certificate, it must be encoded using either the PEM (pem) or binary DER (der) format.
certfile: Specifies the file that contains the certificate.

Display the certificate information.

# pkgadm listcert
Enter Keystore Password: storepass
     Keystore Alias: /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O
        Common Name: /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O
   Certificate Type: Trusted Certificate
Issuer Common Name: /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O
Validity Dates: <May 18 00:00:00 1998 GMT> - <Aug 1 23:59:59 2028 GMT>
 MD5 Fingerprint: 2D:BB:E5:25:D3:D1:65:82:3A:B7:0E:FA:E6:EB:E2:E1
   SHA1 Fingerprint: B3:EA:C4:47:76:C9:C8:1C:EA:F2:9D:95:B6:CC:A0:08:1B:67:EC:9D

Remove the temporary file.
# rm /tmp/root.crt