I would like to understand the Java runtime's requirement for SSL certificates storage in general. I understand it can be copied to the host's /etc/ssl/certs folder but for Java, does it need to import to a specific Keystore for a runtime to be able to use and consume in any SSL verification process by the application? Eg If I have a JRE client that requires packaging of a root/intermediate certificates to make web client internally to site1.foo.com, I will need the root and intermediate certificates dependent on the chain to verify the request.
With various other runtime environments, it seems I can just place them in the /etc/ssl/certs folder: NodeJS => How to add custom certificate authority (CA) to nodejs Go => Where is Golang picking up root CAs from?
However, presumably for usage in Java, I need to go an extra step and use keytool and import into a specific Keystore? Presumably, it can't just pick up from a common directory as per above? Hope my question makes sense.
In Java, collections of certificates are usually accessed through a KeyStore
interface.
As remarked in the comments the default SSLContext
will read the certificates from a PKCS12 (or JKS) file located in $JRE_HOME/lib/security/cacerts
.
However that is not the only possibility and you don't have to call keytool
to add trusted certificates:
on Debianoids you can use -Djavax.net.ssl.trustStore=/etc/ssl/certs/java/cacerts
(cf. this question ) to use the the PKCS12 file provided by the ca-certificates-java
package. It is updated whenever you call update-ca-certificates
. Therefore you just need to add a *.crt
file in /usr/local/share/ca-certificates
and run update-ca-certificates
.
if you don't use the default SSLContext
you can init it with a different TrustManager
(cf. this question ). That's how Tomcat 8.5+ loads certificates in PEM format.
Unfortunately there is no implementation of KeyStore
that reads certificates from a directory, but that can easily be written.
Edit: On Debianoids the packaged JREs already use /etc/ssl/java/cacerts
, so no further configuration is needed.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.