Java Certificates


What is the default password for the Java keystore cacerts?


How can we see a list of certificates that are in the Java certificate store / keystore?

  1. Launch the Windows Control Panel
  2. Click on Programs
  3. Click on Java
  4. Click on the Security tab
  5. Click on Certificates
  6. Select appropriate value for Certificate type
  7. Toggle between the User tab and the System tab

How can we see a list of certificate that are in the Java certificate store using the keytool command?

  1. Determine where Java is installed. For example, c:\software\Java
  2. cd c:\software\Java\jre7\lib\security
  3. c:\software\Java\jre7\bin\keytool -keystore cacerts -list

How can we import a certificate using the keytool command?

  1. c:\software\Java\jre7\bin\keytool -keystore cacerts -importcert -file c:\path\to\certificateFile -alias aliasName

How can we delete a certificate from a Java certificate store using the keytool command?

keytool -delete -noprompt -alias aliasName -keystore keyStoreFile -storepass keystorePassword

How can we print a certifcate?

keytool -printcert -v -file anycert.cer | more

How can we display all the certificates in a keystore?

keytool -list -v | more 
keytool -list -keystore \j2sdk\jre\lib\security\cacerts | more

Is there any GUI tool to manage Java keystore?

How can we import the Fiddler Root Certificate into the Java keystore?

c:\dev\java\bin\keytool.exe -import -file c:\Users\Khai\Desktop\FiddlerRoot.cer -keystore FiddlerKeystore -alias Fiddler

The above command, instead of importing the FiddlerRoot.cer file into the default cacert files, it create a new keystore name FiddlerKeystore, and therefore it will ask you to provide a passphrase for the new keystore. Perhaps we should use the same passphrase for this keystore the the passphrase the we use for the main cacert file. Java should not need this passphrase for reading this keystore, but we will need this passphrase whenever we want to update this keystore. We need this command if we want Fiddler to capture HTTPS traffic from our Java program. Rather than creating a new keystore like this, perhaps we should import the Fiddler root certificate into the main cacert file.

How can we tell Java to use a different keystore?

By default, we can find the cacert file under JAVA_HOME/jre/lib/security

How can we tell Java to not use the system proxy?

See the proxy page.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License