1

I exported a certificate from an https url that my java API needs to connect with.

Then imported to java jdk cacert as follows:

  1. clicked the padlock icon a the begining of the url on chrome

  2. certificate > details > copy to file

  3. selected x.509 base 64 > saved the file

  4. installed the certificate on cacerts:

    keytool -import -alias testcert1 -keystore "c:\jdk1.7.0_80\jre\lib\security\cacerts" -file testcert1.cer

  5. Ran the following command to read cacerts:

    keytool -list -keystore c:\jdk1.7.0_80\jre\lib\security\cacerts

As a result it lists several certificates (moslty already come by default with the jdk).

It also shows the newly added certificate among them.

Then I executed the same process but instead o choosing a base 64 certificate on step 3, I choose x.509 DER.

Then when I read the cacerts file (step 5) just one certificate is displayed (the newly added one).

All the other certificates that were there already are not displayed anymore.

Wondering if that is an issue in case the DER version is used in my app.

Asking that because my API is working only if the DER version is used. It doesn't work with the base 64 version.

Thanks.

jkfe
  • 549
  • 7
  • 29
  • **There should be no difference.** `keytool` (and what it uses internally, `CertificateFactory`) can read either DER-binary or what Windows (called from Chrome) calls 'Base64' which is really PEM and handles them the same. Make sure you are using exactly the correct/same filename both here and in/for your program and it should work the same. PS: Unless your install has already been modified, 7u80 should have come with 92 certs, which is more than I'd call several though that's not actually wrong. – dave_thompson_085 Jun 18 '21 at 21:23
  • Right. But the point is that when I installed the DER it became just one! (the new DER one). The others disappeared. Don't understand why. When I install the base 64 version that doesn't happen. It maintains all the ones that were already there plus the new one. So wondering if it would be ok to use the cacert with just the single certificate and missing all the other ones. Afraid something can stop working because the other certs are missing. – jkfe Jun 19 '21 at 00:11
  • I know that's your point but it shouldn't happen, and doesn't to me -- if I go to an old (nearly dead) Windows system I have with 7u80, copy cacerts, and import a DER cert to it, the other certs are still there as they should be. Whether you need those other certs depends on whether any code run in this Java makes any other SSL/TLS connections or does any other kind of cryptography (like emails or documents or software packages or .... almost infinite possibilities). – dave_thompson_085 Jun 19 '21 at 10:47
  • @dave_thompson_085 Yes. Makes sense. Thanks. – jkfe Jun 19 '21 at 13:49

0 Answers0