3

I manually added some new certificates to /etc/pki/ca-trust/extracted/java/cacerts and it makes Java trust these certificates as Java is configured to use this certificate location. However, from what I'm reading to do it properly and and make sure this change survives future cert system updates it should be done so:

  • add to /etc/pki/ca-trust/source/anchors
  • run update-trust-ca

However, this doesn't work, i.e. certificates from source anchors are not transferred to Java cacerts.

A proposed solution discussed here https://access.redhat.com/discussions/3018271 is to first run "trust anchor /etc/pki/ca-trust/source/anchors/*.cer" but then I'm getting "p11-kit: couldn't create object: The field is read-only". How can this error be fixed? How to proceed with it?

System:

cat /etc/redhat-release
CentOS Linux release 7.7.1908 (Core)

Java:

java -version
openjdk version "1.8.0_242"
OpenJDK Runtime Environment (build 1.8.0_242-b08)
OpenJDK 64-Bit Server VM (build 25.242-b08, mixed mode)
Eleator
  • 51
  • 1
  • 4

2 Answers2

1

I am struggling with the same problem.

  1. I put 2 certificates into /etc/pki/ca-trust/source/anchors and run update-ca-trust. Only one goes to /etc/pki/ca-trust/extracted/java/cacerts, CA. The certificate for a server is ignored. When I add option -v to the update-ca-trust for the last line I get:
(p11-kit:21017) extract_certificate: skipping certificate that doesn't match trust flags

With trust anchor cert.pem I have the same situation.

  1. I put those 2 certificates in /etc/pki/tls/certs and run the command trust anchor cert.pem. The I get the file: /etc/pki/ca-trust/source/domain(from CN).p11-kit. I am modifying this file according to this https://access.redhat.com/discussions/3018271. I run again update-ca-trust. After this I can found my certificate also in /etc/pki/ca-trust/extracted/java/cacerts.

For the experiment I've uncommented the line:

#set -vx

from update-ca-trust. When you run the command trust anchor cert.pem then command update-ca-trust is invoked at the end.

I don't know why I cannot keep those files at /etc/pki/ca-trust/source/anchors, why update-ca-trust ignore certificate category: other-entry.

piecia
  • 338
  • 4
  • 17
  • 1
    I've added following command at the end: `/usr/bin/p11-kit extract --format=java-cacerts --filter=certificates --overwrite --purpose server-auth /etc/pki/ca-trust/extracted/java/cacerts` And now the certificate can be found in /etc/pki/ca-trust/extracted/java/cacerts without manually intervention. Additionally, it is worth adding a command: `/usr/bin/p11-kit extract --comment --format=pem-bundle --filter=certificates --overwrite --purpose server-auth /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem` – piecia Sep 30 '20 at 08:29
0

Are you importing the CA root or an Intermediate? I faced this issue because I was trying to add a root CA, when I really needed to add the intermediate CA for my wildcard cert.

Lynn Dixon
  • 1