Reputation: 11297
How do I find out what keystore my JVM is using?
I need to import a certificate into my JVM keystore. I am using the following:
keytool -import -alias daldap -file somecert.cer
so I would need to probably change my call into something like:
keytool -import -alias daldap -file somecert.cer -keystore cacerts –storepass changeit
Upvotes: 166
Views: 643829
Answers (11)
Reputation: 66637
Your keystore will be in your JAVA_HOME---> lib---> security--> cacerts. You need to check where your JAVA_HOME is configured, possibly one of these places,
Computer--->Advanced --> Environment variables---> JAVA_HOME
Your server startup batch files.
In your import command -keystore cacerts (give full path to the above JRE here instead of just saying cacerts).
Upvotes: 168
Reputation: 1550
I found the JVM keystore using the following command on Ubuntu 20.04:
echo $JAVA_HOME/lib/security/cacerts
Output:
/usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts
This directory is a symbolic link to:
/etc/ssl/certs/java/cacerts
Upvotes: 2
Reputation: 15673
Keystore Location
Each keytool command has a -keystore option for specifying the name and location of the persistent keystore file for the keystore managed by keytool. The keystore is by default stored in a file named .keystore in the user's home directory, as determined by the "user.home" system property. Given user name uName, the "user.home" property value defaults to
C:\Users\uName on Windows 7 systems
C:\Winnt\Profiles\uName on multi-user Windows NT systems
C:\Windows\Profiles\uName on multi-user Windows 95 systems
C:\Windows on single-user Windows 95 systems
Thus, if the user name is "cathy", "user.home" defaults to
C:\Users\cathy on Windows 7 systems
C:\Winnt\Profiles\cathy on multi-user Windows NT systems
C:\Windows\Profiles\cathy on multi-user Windows 95 systems
Upvotes: 53
Reputation: 14419
For me using the official OpenJDK 12 Docker image, the location of the Java keystore was:
/usr/java/openjdk-12/lib/security/cacerts
Upvotes: 5
Reputation: 622
On Debian, using openjdk version "1.8.0_212", I found cacerts here:
/etc/ssl/certs/java/cacerts
Sure would be handy if there was a standard command that would print out this path.
Upvotes: 13
Reputation: 478
In addition to all answers above:
If updating the cacerts file in JRE directory doesn't help, try to update it in JDK.
C:\Program Files\Java\jdk1.8.0_192\jre\lib\security
Upvotes: 0
Reputation: 4419
You can find it in your "Home" directory:
On Windows 7:
C:\Users\<YOUR_ACCOUNT>\.keystore
On Linux (Ubuntu):
/home/<YOUR_ACCOUNT>/.keystore
Upvotes: 25
Reputation: 4117
Mac OS X 10.12 with Java 1.8:
$JAVA_HOME/jre/lib/security
cd $JAVA_HOME
/Library/Java/JavaVirtualMachines/jdk1.8.0_40.jdk/Contents/Home
From there it's in:
./jre/lib/security
I have a cacerts keystore in there.
To specify this as a VM option:
-Djavax.net.ssl.trustStore=/Library/Java/JavaVirtualMachines/jdk1.8.0_40.jdk/Contents/Home/jre/lib/security/cacerts -Djavax.net.ssl.trustStorePassword=changeit
I'm not saying this is the correct way (Why doesn't java know to look within JAVA_HOME?), but this is what I had to do to get it working.
Upvotes: 31
Reputation: 1
We encountered this issue on a Tomcat running from a jre directory that was (almost fully) removed after an automatic jre update, so that the running jre could no longer find jre.../lib/security/cacerts because it no longer existed.
Restarting Tomcat (after changing the configuration to run from the different jre location) fixed the problem.
Upvotes: 0
Reputation: 3609
As DimtryB mentioned, by default the keystore is under the user directory. But if you are trying to update the cacerts file, so that the JVM can pick the keys, then you will have to update the cacerts file under jre/lib/security. You can also view the keys by executing the command keytool -list -keystore cacerts to see if your certificate is added.
Upvotes: 7
Reputation: 23754
This works for me:
#! /bin/bash
CACERTS=$(readlink -e $(dirname $(readlink -e $(which keytool)))/../lib/security/cacerts)
if keytool -list -keystore $CACERTS -storepass changeit > /dev/null ; then
echo $CACERTS
else
echo 'Can not find cacerts file.' >&2
exit 1
fi
Only for Linux. My Solaris has no readlink. In the end I used this Perl-Script:
#! /usr/bin/env perl
use strict;
use warnings;
use Cwd qw(realpath);
$_ = realpath((grep {-x && -f} map {"$_/keytool"} split(':', $ENV{PATH}))[0]);
die "Can not find keytool" unless defined $_;
my $keytool = $_;
print "Using '$keytool'.\n";
s/keytool$//;
$_ = realpath($_ . '../lib/security/cacerts');
die "Can not find cacerts" unless -f $_;
my $cacerts = $_;
print "Importing into '$cacerts'.\n";
`$keytool -list -keystore "$cacerts" -storepass changeit`;
die "Can not read key container" unless $? == 0;
exit if $ARGV[0] eq '-d';
foreach (@ARGV) {
my $cert = $_;
s/\.[^.]+$//;
my $alias = $_;
print "Importing '$cert' as '$alias'.\n";
`keytool -importcert -file "$cert" -alias "$alias" -keystore "$cacerts" -storepass changeit`;
warn "Can not import certificate: $?" unless $? == 0;
}
Upvotes: 19
Related Questions
- How do I specify the keystore type on the command line?
- How to acess jvm default KeyStore?
- How to find the path of the keytool generated keystore (self generated)
- How to display Java keystore SecretKeyEntry from command line
- Identifying entries in java keystore
- What keys does the default Java Keystore contain?
- How do I find out what truststore file a Java VM has actually loaded?
- Used keytool to create keystore & key but cant find where it is
- Change default .keystore location
- Get instance of keystore that JVM loads by default