importing a local CA certificate into cacerts keystore

[Kurt Yoder]

Hello all,

I'm trying to run Apache Archiva using OpenJDK, and authenticating off SSL-protected LDAP. This is throwing an exception "sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target". Since my LDAP server's SSL is signed using my local CA certificate, I presume this error effectively is telling me I need to import my local CA certificate into the OpenJDK keystore.


Following this reasoning I am attempting to import my root CA, but I can't figure out how to do it. I tried:

keytool -importcert -file /etc/ssl/certs/my-ca.pem -keystore /etc/ssl/certs/java/cacerts 

which gives me:

keytool error: java.lang.Exception: Input not an X.509 certificate


I also tried:

keytool -importkeystore -v -srckeystore /etc/ssl/certs/my-ca.pem -destkeystore /etc/ssl/certs/java/cacerts

but this gives me 

keytool error: java.io.IOException: Invalid keystore format
java.io.IOException: Invalid keystore format
        at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:650)
        at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55)
        at java.security.KeyStore.load(KeyStore.java:1201)
        at sun.security.tools.KeyTool.loadSourceKeyStore(KeyTool.java:1560)
        at sun.security.tools.KeyTool.doImportKeyStore(KeyTool.java:1603)
        at sun.security.tools.KeyTool.doCommands(KeyTool.java:881)
        at sun.security.tools.KeyTool.run(KeyTool.java:194)
        at sun.security.tools.KeyTool.main(KeyTool.java:188)


Searching on the internet, I see something that *looks* like what I want, but doesn't appear to work with openjdk's keytool:

http://www.grok2.com/blog/2010/09/14/keytool-jarsigner-oddity-on-ubuntu-with-openjdk-version-6/

eg "keytool -import -alias myCA -file my-ca.pem"


So does anyone have suggestions? Am I doing it wrong?