How to Import a Trusted Certificate From
the Java Keystore (pkgadm addcert)
-
Become superuser or assume an equivalent role.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
-
Verify that the root certificate authority (CA) certificate exists in the Java TM keystore.
# keytool -storepass storepass -list -keystore certfile
- keytool
-
Manages a Java keystore (database) of private keys and their associated X.509 certificate chains that authenticate the corresponding public keys. Also manages certificates from trusted entities. For more information on the keytool utility, see keytool-Key and Certificate Management Tool.
- -storepass storepass
-
Specifies the password that protects the integrity of the keystore.
- -list
-
By default, prints the MD5 fingerprint of a certificate.
- -keystore certfile
-
Specifies the name and location of the persistent keystore file.
-
Export the root CA certificate from the Java keystore to a temporary file.
# keytool -export -storepass storepass -alias verisignclass2g2ca -keystore /usr/java/jre/lib/security/cacerts certfile -file filename
- -export
-
Exports the trusted certificate.
- -storepass storepass
-
Specifies the password that protects the integrity of the Java keystore.
- -alias verisignclass2g2ca
-
Identifies the alias of the trusted certificate.
- -keystore certfile
-
Specifies the name and location of the keystore file.
- -file filename
-
Identifies the file to hold the exported certificate.
-
Import a trusted certificate to the package keystore.
# pkgadm addcert -t -f format certfile
- -t
-
Indicates that the certificate is a trusted CA certificate. The output includes the details of the certificate, which the user is asked to verify.
- -f format
-
Specifies the format of certificates and private keys. When you import a certificate, it must be encoded using PEM or binary DER format.
- certfile
-
Specifies the file that contains the certificate.
-
Remove the temporary file.
# rm /tmp/file-name
For more information, see the pkgadm(1M) man page.
Example 20–1 Importing a Trusted Certificate From the Java Keystore
The following example shows how to import a trusted certificate. In this example, Sun's root CA certificate is imported from the Java keystore into the package keystore by using the keytool command.
# keytool -export -storepass changeit -alias verisignclass2g2ca \ -keystore /usr/java/jre/lib/security/cacerts -file /tmp/root.crt Certificate stored in file </tmp/root.crt> |
# pkgadm addcert -t -f der /tmp/root.crt
Keystore Alias: /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O
Common Name: /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O
Certificate Type: Trusted Certificate
Issuer Common Name: /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O
Validity Dates: <May 18 00:00:00 1998 GMT> - <Aug 1 23:59:59 2028 GMT>
MD5 Fingerprint: 2D:BB:E5:25:D3:D1:65:82:3A:B7:0E:FA:E6:EB:E2:E1
SHA1 Fingerprint: B3:EA:C4:47:76:C9:C8:1C:EA:F2:9D:95:B6:CC:A0:08:1B:67:EC:9D
Are you sure you want to trust this certificate? yes
Trusting certificate </C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O>
Type a Keystore protection Password. xxxxxx
Press ENTER for no protection password (not recommended):
For Verification: Type a Keystore protection Password.
Press ENTER for no protection password (not recommended):
Certificate(s) from </tmp/root.crt> are now trusted
|
- © 2010, Oracle Corporation and/or its affiliates