How can I get a list of trusted root certificates in Java?
Question
I would like to be able to get access to all trusted root certificates programmatically in a Java app.
I was looking at the keystore interface, but I'm hoping to get the list of trusted roots that's implicit with the JRE.
Is this accessible anywhere?
3 answers
solution1
36 ACCPTED 2010-08-18 01:01:20
There's an example that shows how to get a Set of the root certificates and iterate through them called Listing the Most-Trusted Certificate Authorities (CA) in a Key Store . Here's a slightly modified version that prints out each certificate (tested on Windows Vista).
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.Iterator;
public class Main {
public static void main(String[] args) {
try {
// Load the JDK's cacerts keystore file
String filename = System.getProperty("java.home") + "/lib/security/cacerts".replace('/', File.separatorChar);
FileInputStream is = new FileInputStream(filename);
KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
String password = "changeit";
keystore.load(is, password.toCharArray());
// This class retrieves the most-trusted CAs from the keystore
PKIXParameters params = new PKIXParameters(keystore);
// Get the set of trust anchors, which contain the most-trusted CA certificates
Iterator it = params.getTrustAnchors().iterator();
while( it.hasNext() ) {
TrustAnchor ta = (TrustAnchor)it.next();
// Get certificate
X509Certificate cert = ta.getTrustedCert();
System.out.println(cert);
}
} catch (CertificateException e) {
} catch (KeyStoreException e) {
} catch (NoSuchAlgorithmException e) {
} catch (InvalidAlgorithmParameterException e) {
} catch (IOException e) {
}
}
}
solution2
12 2016-10-20 14:47:31
This should be more flexible using the default trust store in the system to get all certificates:
TrustManagerFactory trustManagerFactory =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
List<Certificate> x509Certificates = new ArrayList<>();
trustManagerFactory.init((KeyStore)null);
Arrays.asList(trustManagerFactory.getTrustManagers()).stream().forEach(t -> {
x509Certificates.addAll(Arrays.asList(((X509TrustManager)t).getAcceptedIssuers()));
});
```
solution3
0 2022-03-21 06:48:44
A working example, combining concept from Bill the Lizard and k_o_ answer:
import java.io.FileInputStream;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.KeyStore;
import java.security.cert.X509Certificate;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
public class JDKTrustStoreCertListing {
public static void main(String[] args) throws Exception{
String javaHome=System.getProperty("java.home");
Path jdkCACertPath=Paths.get(javaHome, "lib", "security", "cacerts");
TrustManagerFactory trustManagerFactory=TrustManagerFactory
.getInstance(TrustManagerFactory
.getDefaultAlgorithm());
FileInputStream fis=new FileInputStream(jdkCACertPath.toFile());
String keystorePassword="changeit";
KeyStore keyStore=KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(fis, keystorePassword.toCharArray());
fis.close();
trustManagerFactory.init(keyStore);
TrustManager[] truestManagers=trustManagerFactory.getTrustManagers();
for(TrustManager t:truestManagers)
for(X509Certificate c:((X509TrustManager)t).getAcceptedIssuers())
System.out.println(c.getIssuerX500Principal());
}//main closing
}//class closing
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.