0

In chrome, you can click the 'lock' icon to the left of the https url and this comes up

enter image description here

I don't see a way to download this though and then how do I install it in a keystore. Also, it looks like I would have to download 3 different ones?

thanks, Dean

Dean Hiller
  • 19,235
  • 25
  • 129
  • 212
  • For Java apps, you have truststore file inside jre directory - JAVA_HOME---> JRE -->lib---> security--> cacerts. You can import ur certs there – rootkonda Feb 17 '20 at 22:26
  • 1
    @rootkonda+ Although for _Oracle_ Java since 8u101 (4 years ago) cacerts already contains DST CA3. And for 9 up jre is no longer a separate subdirectory. Dean: in addition to all browsers and zillions of other tools like OpenSSL, `keytool -printcert -sslserver $host[:$port] -rfc` will display the certs sent by a server in a form `keytool` can import; often (including SO/SX) this does NOT include the root -- and in general putting any nonroot cert in a keystore _and using it_ will make your system insecure and lose your data and maybe money. – dave_thompson_085 Feb 17 '20 at 23:08
  • @dave_thompson_085 omg, that is such a cool trick!!! – Dean Hiller Feb 17 '20 at 23:58
  • @dave_thompson_085 so how to do securely then? to stay secure and not lose data/money? – Dean Hiller Feb 17 '20 at 23:59
  • My ideal situation would be just to import all certs from chrome into keystore I would think. – Dean Hiller Feb 17 '20 at 23:59
  • The safe way to do PKI is make no change to the established roots without very good reason, be very suspicious of public but not established roots, and in cases where you need a local root, such as a country, business or school, make sure you get it securely from an official source (who should already have procedures to deal with distributing it correctly) and not someone who is a hacker or has been hacked (in the now-too-popular evil sense). On most systems Chrome uses the truststore of the underlying system (e.g. Windows, MacOS); which one(s) do you want? – dave_thompson_085 Feb 20 '20 at 10:36

1 Answers1

0

Ah, ok, I finally ran into this answer on exporting which was tricky...drag and drop into finder on MAC ..

How to Export Certificate from Chrome on a Mac?

Dean Hiller
  • 19,235
  • 25
  • 129
  • 212
  • If you want to use from Java the (trusted) certs in the MacOS Keychain [there is a provider to do that](https://docs.oracle.com/en/java/javase/11/security/oracle-providers.html#GUID-3185649A-C316-45F2-A70E-2B3FF6BDC34F) – dave_thompson_085 Feb 20 '20 at 10:37