14

I have a Java application accessing a service that uses a StartCom SSL certificate. For this to work, I need to add the StartCom CA certs to Java's truststore, because they're not in there by default yet. I've succesfully done that on linux using these commands

sudo keytool -import -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -noprompt -alias startcom.ca -file ca.crt
sudo keytool -import -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -noprompt -alias startcom.ca.sub.class1 -file sub.class1.server.ca.crt
sudo keytool -import -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -noprompt -alias startcom.ca.sub.class2 -file sub.class2.server.ca.crt
sudo keytool -import -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -noprompt -alias startcom.ca.sub.class3 -file sub.class3.server.ca.crt
sudo keytool -import -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -noprompt -alias startcom.ca.sub.class4 -file sub.class4.server.ca.crt

(From this script)

The same command (adapted appropriately) doesn't work on Windows however. I get:

keytool error: java.lang.RuntimeException: Usage error, trustcacerts is not a legal command

How to make it work?

Bjorn
  • 69,215
  • 39
  • 136
  • 164
Bart van Heukelom
  • 43,244
  • 59
  • 186
  • 301
  • hi i'm still getting the error.. how to solve it. Harsh Raval. –  Dec 06 '10 at 05:22
  • You forget to mention that more often than not you have two Java key stores on Windows: one for the JDK and another for the public JRE under `C:\Program Files`. In this case you have add the certs to both stores. – Andrey Taranov Jun 01 '12 at 10:49

4 Answers4

5

It was a simple typo. In converting the command I forgot a dash before "trustcacerts". :(

Bart van Heukelom
  • 43,244
  • 59
  • 186
  • 301
2

On Mac OS X Mavericks 10.9 I did this:

I always make a tmp directory that I delete later, but you don’t have to:

mkdir ~/tmp
cd ~/tmp

Then download the certs:

curl http://www.startssl.com/certs/ca.crt -O
curl http://www.startssl.com/certs/sub.class1.server.ca.crt -O
curl http://www.startssl.com/certs/sub.class2.server.ca.crt -O
curl http://www.startssl.com/certs/sub.class3.server.ca.crt -O
curl http://www.startssl.com/certs/sub.class4.server.ca.crt -O

Get your Java home:

$ /usr/libexec/java_home
/Library/Java/JavaVirtualMachines/jdk1.7.0_45.jdk/Contents/Home

Use keytool to install it:

sudo keytool -import -trustcacerts -keystore /Library/Java/JavaVirtualMachines/jdk1.7.0_45.jdk/Contents/Home/jre/lib/securitycacerts -storepass changeit -noprompt -alias startcom.ca -file ca.crt

sudo keytool -import -trustcacerts -keystore /Library/Java/JavaVirtualMachines/jdk1.7.0_45.jdk/Contents/Home/jre/lib/security/cacerts -storepass changeit -noprompt -alias startcom.ca.sub.class1 -file sub.class1.server.ca.crt

sudo keytool -import -trustcacerts -keystore /Library/Java/JavaVirtualMachines/jdk1.7.0_45.jdk/Contents/Home/jre/lib/securitycacerts -storepass changeit -noprompt -alias startcom.ca.sub.class2 -file sub.class2.server.ca.crt

sudo keytool -import -trustcacerts -keystore /Library/Java/JavaVirtualMachines/jdk1.7.0_45.jdk/Contents/Home/jre/lib/securitycacerts -storepass changeit -noprompt -alias startcom.ca.sub.class3 -file sub.class3.server.ca.crt

sudo keytool -import -trustcacerts -keystore /Library/Java/JavaVirtualMachines/jdk1.7.0_45.jdk/Contents/Home/jre/lib/securitycacerts -storepass changeit -noprompt -alias startcom.ca.sub.class4 -file sub.class4.server.ca.crt
Bjorn
  • 69,215
  • 39
  • 136
  • 164
0

Yes, -trustcacerts is the right syntax.

But for the linked script to work under Cygwin you need to remove sudo from all keytool lines - sudo is unavailable in Cygwin.

Andrey Taranov
  • 520
  • 4
  • 10
0

Remove -trustcacerts

Maurice Perry
  • 32,610
  • 9
  • 70
  • 97