Programming Tutorials

Importing a Certificate for the CA example using keytool in Java

By: Jagan  

You need to replace your self-signed certificate with a certificate chain, where each certificate in the chain authenticates the public key of the signer of the previous certificate in the chain, up to a "root" CA.

Before you import the certificate reply from a CA, you need one or more "trusted certificates" in your keystore or in the cacerts keystore file:

  • If the certificate reply is a certificate chain, you just need the top certificate of the chain (that is, the "root" CA certificate authenticating that CA's public key).
  • If the certificate reply is a single certificate, you need a certificate for the issuing CA (the one that signed it), and if that certificate is not self-signed, you need a certificate for its signer, and so on, up to a self-signed "root" CA certificate.

The "cacerts" keystore file ships with five VeriSign root CA certificates, so you probably won't need to import a VeriSign certificate as a trusted certificate in your keystore. But if you request a signed certificate from a different CA, and a certificate authenticating that CA's public key hasn't been added to "cacerts", you will need to import a certificate from the CA as a "trusted certificate".

A certificate from a CA is usually either self-signed, or signed by another CA (in which case you also need a certificate authenticating that CA's public key). Suppose company ABC, Inc., is a CA, and you obtain a file named "ABCCA.cer" that is purportedly a self-signed certificate from ABC, authenticating that CA's public key.

Be very careful to ensure the certificate is valid prior to importing it as a "trusted" certificate! View it first (using the keytool -printcert command, or the keytool -importcert command without the -noprompt option), and make sure that the displayed certificate fingerprint(s) match the expected ones. You can call the person who sent the certificate, and compare the fingerprint(s) that you see with the ones that they show (or that a secure public key repository shows). Only if the fingerprints are equal is it guaranteed that the certificate has not been replaced in transit with somebody else's (for example, an attacker's) certificate. If such an attack took place, and you did not check the certificate before you imported it, you would end up trusting anything the attacker has signed.

If you trust that the certificate is valid, then you can add it to your keystore via the following:

    keytool -importcert -alias abc -file ABCCA.cer

This creates a "trusted certificate" entry in the keystore, with the data from the file "ABCCA.cer", and assigns the alias "abc" to the entry.




Archived Comments


Most Viewed Articles (in Java )

Latest Articles (in Java)

Comment on this tutorial

Related Tutorials

© 2023 Java-samples.com

Tutorial Archive: Data Science  Android  AJAX  ASP.net  C  C++  C#  Cocoa  Cloud Computing  EJB  Errors  Java  Certification  Interview  iPhone  Javascript  JSF  JSP  Java Beans  J2ME  JDBC  Linux  Mac OS X  MySQL  Perl  PHP  Python  Ruby  SAP  VB.net  EJB  Struts  Trends  WebServices  XML  Office 365  Hibernate

Latest Tutorials on: Data Science  Android  AJAX  ASP.net  C  Cocoa  C++  C#  EJB  Errors  Java  Certification  Interview  iPhone  Javascript  JSF  JSP  Java Beans  J2ME  JDBC  Linux  Mac OS X  MySQL  Perl  PHP  Python  Ruby  SAP  VB.net  EJB  Struts  Cloud Computing  WebServices  XML  Office 365  Hibernate