Java Keytool error after importing certificate , "keytool error: java.io.FileNotFoundException & Access Denied"

Question

I'm trying to connect a Java Web API via HTTPS; however, an exception is thrown:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException

I followed these steps which I learned from online keytool & SSL cert tutorials:

1. I copied the HTTPS URL into the browser, downloaded the SSL certificates & Installed them in the browser using Internet Explorer.

2. Exported the certificates to a path on my computer, the certificates were saved as .cer

3. Used the keytool's import option. The command below executed without any errors.

   keytool -import -alias downloadedCertAlias -keystore C:\path\to\my\keystore\cacerts.file -file C:\path\of\exportedCert.cer
   

4. I was prompted for a password at the command prompt, which I entered then I was authenticated.

5. The cmd window printed some certificate data & signatures and I was prompted with the question:

   Trust this certificate?

   I answered yes.

6. The cmd prompt displayed

   Certificate was added to keystore

   However after that message, another exception was displayed:

   keytool error: java.io.FileNotFoundException: C:\Program files\...\cacerts <Access Denied>
   

Finally when I checked the keystore , the SSL certificate was not added and my application gives the same exception I was getting earlier when trying to connect:

(javax.net.ssl.SSLHandshakeException:sun.security.validator.ValidatorException)

Answer 1

I was having the same problem while importing the certificate in local keystore. Whenever i issue the keytool command i got the following error.

Certificate was added to keystore
keytool error: java.io.FileNotFoundException: C:\Program Files\Java\jdk1.8.0_151\jre\lib\security (Access is denied)

Following solution work for me.

1. Make sure you are running command prompt in Run as Administrator mode

2. Change your current directory to %JAVA_HOME%\jre\lib\security

3. Then issue the command below

   keytool -import -alias "mycertificatedemo" -file "C:\Users\name\Downloads\abc.crt" -keystore cacerts

4. Enter the password changeit

5. Enter y

6. you will see the following message on success

   "Certificate was added to keystore"

Make sure you are giving the cacerts only in -keystore param value, as I was giving the full path like C:\Program Files\Java\jdk1.8.0_151\jre\lib\security.

Hope this will work

Answer 2

For mac use below command

  sudo keytool -importcert -file ~/certificate-file.cer -keystore $(/usr/libexec/java_home)/lib/security/cacerts

Below will give you the location of cacerts.

/usr/libexec/java_home

Answer 3

Our keystore was stored in SCM, and for some reason downloading the file directly from the SCM service again, enabled modifying the keystore. Probably the earlier download of the file didn't bring it in binary format.

Answer 4

To solve this Problem you have to access as Admin or give full Control for user privileges. It solved that Problem with me.

Answer 5

Make sure you running as Administrator. In Mac terminal:-

1. Run sudo -i
2. Then execute the commands

Answer 6

I got this error too even I ran cmd as an Administrator.

The root cause is: The file is from VCS(subversion, perforce, etc.), and when I checked the properties of this file, its' Attributes is Read-only.

So the solution is:

• (1) disable the 'Read-only' Attribute;
• (2) check out from VCS, let the file under the status of read&write.

Answer 7

This could happen if you are not running the command prompt in administrator mode. If you are using windows 7, you can go to run, type cmd and hit Ctrl+Shift+enter. This will open the command prompt in administrator mode. If not, you can also go to start -> all programs -> accessories -> right click command prompt and click 'run as administrator'.

Answer 8

SOLVED

1. Just run CMD as an administrator.
2. Make sure your using the correct truststore password

Answer 9

For Mac users make sure to sudo and when prompted first give your administrator password and that will be followed by keystore password which typically should be "changeit" unless you actually changed it.

Answer 10

I even run the command prompt as Administrator but it didn't work for me with the below error.

'keytool' is not recognized as an internal or external command,
 operable program or batch file.

If the path to the keytool is not in your System paths then you will need to use the full path to use the keytool, which is

C:\Program Files\Java\jre<version>\bin

So, the command should be like

"C:\Program Files\Java\jre<version>\bin\keytool.exe" -importcert -alias certificateFileAlias -file CertificateFileName.cer -keystore cacerts

that worked for me.

Answer 11

You can store orther disk or path (not C) EX : D\

C:\Program Files\Java\jre1.8.0_101\bin>keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore D:\myserver.jks -dname "CN=myserver,OU=IT-WebDev, O=TIACHOP, L=HCM, ST=0753, C=VN" && keytool -certreq -alias server -file D:\myserver.csr -keystore D:\myserver.jks

Answer 12

You can give yourself permissions to fix this problem.

Right click on cacerts > choose properties > select Securit tab > Allow all permissions to all the Group and user names.

This worked for me.

Answer 13

If you are using windows8:

1. Click start button
2. In the search box, type command prompt
3. From the result, right-click command prompt and click Run as administrator. Then execute the keytool command.

Answer 14

Check the write permissions on the keystore.

Answer 15

I had the same problem under Windows and could solve it by running cmd.exe as administrator (right-click in start menu, then "Run as administrator).