importing a local CA certificate into cacerts keystore

Sean Mullan sean.mullan at oracle.com
Fri Apr 1 16:54:47 UTC 2011 

Moving to security-dev at openjdk.java.net

On 3/31/11 4:11 PM, Kurt Yoder wrote:
> Hello all,
>
> I'm trying to run Apache Archiva using OpenJDK, and authenticating off SSL-protected LDAP. This is throwing an exception "sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target". Since my LDAP server's SSL is signed using my local CA certificate, I presume this error effectively is telling me I need to import my local CA certificate into the OpenJDK keystore.
>
>
> Following this reasoning I am attempting to import my root CA, but I can't figure out how to do it. I tried:
>
> keytool -importcert -file /etc/ssl/certs/my-ca.pem -keystore /etc/ssl/certs/java/cacerts
>
> which gives me:
>
> keytool error: java.lang.Exception: Input not an X.509 certificate

This means it can't decode the certificate for some reason.

Try the following:

keytool -v -printcert -file /etc/ssl/certs/my-ca.pem

which should dump a trace of the exception with more info.

--Sean

>
>
> I also tried:
>
> keytool -importkeystore -v -srckeystore /etc/ssl/certs/my-ca.pem -destkeystore /etc/ssl/certs/java/cacerts
>
> but this gives me
>
> keytool error: java.io.IOException: Invalid keystore format
> java.io.IOException: Invalid keystore format
>          at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:650)
>          at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55)
>          at java.security.KeyStore.load(KeyStore.java:1201)
>          at sun.security.tools.KeyTool.loadSourceKeyStore(KeyTool.java:1560)
>          at sun.security.tools.KeyTool.doImportKeyStore(KeyTool.java:1603)
>          at sun.security.tools.KeyTool.doCommands(KeyTool.java:881)
>          at sun.security.tools.KeyTool.run(KeyTool.java:194)
>          at sun.security.tools.KeyTool.main(KeyTool.java:188)
>
>
> Searching on the internet, I see something that *looks* like what I want, but doesn't appear to work with openjdk's keytool:
>
> http://www.grok2.com/blog/2010/09/14/keytool-jarsigner-oddity-on-ubuntu-with-openjdk-version-6/
>
> eg "keytool -import -alias myCA -file my-ca.pem"
>
>
> So does anyone have suggestions? Am I doing it wrong?

More information about the security-dev mailing list