0

I'm using the class InstallCert to import a VMware vCenter certificate into my local Java keystore.

The line socket.startHandshake() returns an UnsupportedOperationException, but the class SavingTrustManager still has downloaded the certificate successfully.

Then I store the downloaded certificate into my local keystore by using the following snippet.

KeyStore jsk;
... ... ..
jks.setCertificateEntry(alias, cert);
OutputStream out = new FileOutputStream("jssecacert");
jks.store(out, passphrase);
out.close();

But when I try to list all the entries in the keystore: keytool -list -keystore jssecacerts -v, It shows that there are 160 entries including the one that I have downloaded.

I'm pretty sure that the keystore is generated by my code, and it is supposed to be initially empty. I'd like to know where do the other 159 entries come from ?

Thanks.

vesontio
  • 381
  • 1
  • 7
  • 19

1 Answers1

1

Use KeyStoreExplorer for comparing both truststores: jssecacerts generated by the Installcert class, and the cacerts file located en your Java>jre>security>lib.

Istallcert takes the certificate from the server and creates a copy of the truststore of the JVM you are using. then it adds the certificate to the copy of your truststore, and names it "jssecacerts". Check this piece of code:

File file = new File("jssecacerts");
    if (file.isFile() == false) {
        char SEP = File.separatorChar;
        File dir = new File(System.getProperty("java.home") + SEP
        + "lib" + SEP + "security");
        file = new File(dir, "jssecacerts");
        if (file.isFile() == false) {
            file = new File(dir, "cacerts");

            }
    }

You then just need to rename jsscacerts to cacerts and replace the original one on your JVM

Oldskultxo
  • 945
  • 8
  • 19
  • Thank you for your reply, in fact, the thing that confuses me is the number of entry in the keystore. I've only downloaded and imported one certificate, but why are there 160 entries in the keystore. – vesontio Feb 01 '16 at 07:32
  • Probably, because there were 159 in the truststore your jvm is using. compare both truststores and check that :). – Oldskultxo Feb 01 '16 at 07:41
  • The code of `installCert` exports the downloaded certificate into a file named `jssecacerts`. I'm pretty sure that the file is generated by my program, as I've deleted the file before running my program. – vesontio Feb 01 '16 at 08:36
  • ok. Dont check it if you dont want but... It is all that i can do for helping. It doesnt matter how sure you are about the behaviour of InstallCert app. The behaviour is what it is. Check the piece of code of that application, that i have just added to my answer and decide. JSSECACERTS is NOT generated from empty file. Check it and compare both files and lets see if finally you get convinced :) – Oldskultxo Feb 01 '16 at 09:36
  • Please check line `147` of `installCert`: `OutputStream out = new FileOutputStream("jssecacerts");`, it doesn't reuse the variable `file`. – vesontio Feb 01 '16 at 12:17
  • As you prefer... check the whole application code and not just that line... It does not use the file variable?? And what about ks file?? anyway, i cant help you if you dont wnat the help. Good luck. Here you can read about the behaviour of the app: http://www.dekho.com.au/help/32/default.htm?turl=Documents%2Faddingacertificateintothejavacertificatestore.htm – Oldskultxo Feb 01 '16 at 12:25
  • As you said, I've read the doc, and check the last sentence of the 6th section: `The imported certificates get added to a keystore named “jssecacerts” in the current directory (i.e., C:\temp\installcerts)` – vesontio Feb 02 '16 at 08:35
  • My friend. Lets be clear: InstallCert, creates C:/temp/jssecacerts; true. But this file is a copy of cacerts file placed on JaVA_HOME/jre/security/lib. After copy it, Install cert adds your certificate. Anyway, please, before going on with the complains, please check both files with the tool i suggested and see, that the only diference is that jssecacerts has your certificate and cacerts doesnt – Oldskultxo Feb 02 '16 at 10:10
  • Okay, now I see, the `jssecacerts` generated by `InstallCert` contains all the certificates in the truststore of JRE + the one that it has downloaded. Thank you! – vesontio Feb 02 '16 at 17:10