Verify that the Root CA certificate exists in the Java keystore.
# keytool -storepass storepass -list -keystore certfile |
keytool |
Manages a Java keystore (database) of private keys and their associated X.509 certificate chains that authenticate the corresponding public keys. Also manages certificates from trusted entities. For more information on the keytool command, see keytool-Key and Certificate Management Tool. |
-storepass storepass |
Specifies the password that protects the integrity of the Java keystore. |
-list |
By default, prints the MD5 fingerprint of a certificate. |
-keystore certfile |
Specifies the name and location of the persistent Java keystore file. |
Export the Root CA certificate from the Java keystore to a temporary file.
# keytool -export -storepass storepass -alias gtecybertrustca -keystore gtecybertrustca -keystore /usr/j2se/jre/lib/security/cacerts -file filename |
-export |
Exports the trusted certificate. |
-storepass storepass |
Specifies the password that protects the integrity of the Java keystore. |
-alias gtecybertrustca |
Identifies the alias of the trusted certificate. |
-keystore certfile |
Specifies the name and location of the keystore file. |
-file filename |
Identifies the file to hold the exported certificate. |
Import a trusted certificate to the package keystore.
# pkgadm addcert -t -f format certfile |
-t |
Indicates that the certificate is a trusted CA certificate. The command output includes the details of the certificate, which the user is asked to verify. |
-f format |
Specifies the format of the certificates or private key. When importing a certificate, it must be encoded using either the PEM (pem) or binary DER (der) format. |
certfile |
Specifies the file that contains the certificate. |
For more information, see the pkgadm man page.
Remove the temporary file.
The following example shows how to import a trusted certificate. In this example, Sun's Root CA certificate is imported from the Java keystore into the package keystore with the keytool command.
# keytool -export -storepass changeit -alias gtecybertrustca -keystore gtecybertrustca -keystore /usr/j2se/jre/lib/security/cacerts -file /tmp/root.crt Certificate stored in file </tmp/root.crt> # pkgadm addcert -t -f der /tmp/root.crt Enter Keystore Password: storepass Keystore Alias: GTE CyberTrust Root Common Name: GTE CyberTrust Root Certificate Type: Trusted Certificate Issuer Common Name: GTE CyberTrust Root Validity Dates:<Feb 23 23:01:00 1996 GMT>-<Feb 23 23:59:00 2006 GMT> MD5 Fingerprint: C4:D7:F0:B2:A3:C5:7D:61:67:F0:04:CD:43:D3:BA:58 SHA1 Fingerprint: 90:DE:DE:9E:4C:4E:9F:6F:D8:86:17:57:9D:D3:91:BC... Trusting certificate <GTE CyberTrust Root> Type a Keystore protection Password. Press ENTER for no protection password (not recommended): xxx For Verification: Type a Keystore protection Password. Press ENTER for no protection password (not recommended): xxx Certificate(s) from </tmp/root.crt> are now trusted # rm /tmp/root.crt |