Importing a Certificate to the Java cacerts file
allenbarnett5 at gmail.com
Wed Jun 14 17:20:53 UTC 2017
Hi Daiki: Your hints were right on the money. I was able to make my
certificate permanent by:
1. Running "trust anchor /path/to/mycert.pem"
2. Editing "/etc/pki/ca-trust/source/mycert.p11-kit" and changing one line:
With that change, "trust list ..." displayed my server and update-ca-trust
added my server cert to the java cacerts file.
Thanks so much!
On Thu, May 25, 2017 at 9:11 AM, Daiki Ueno <dueno at redhat.com> wrote:
> Allen Barnett <allenbarnett5 at gmail.com> writes:
> > /usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors
> > --overwrite --purpose server-auth $DEST/java/cacerts
> > Is there some way I can diagnose why p11-kit extract doesn't add my
> > certificate to java/cacerts? I ran it under strace and it definitely
> > opens and reads the PEM file. So, perhaps there's something about the
> > certificate itself that doesn't meet some criterion of p11-kit?
> I would suggest to check if the filter condition given to "p11-kit
> extract" matches your certificate, by using the "trust list" command:
> trust list --filter=ca-anchors --purpose server-auth
> If it doesn't include your certificate, then it's likely that the
> certificate doesn't have sufficient attributes. In that case, you could
> attach them by doing:
> - add the certificate using "trust anchor" command, rather than copying
> the file directly into /etc/pki/ca-trust/source/anchors. The command
> will create /etc/pki/ca-trust/source/your-cert.p11-kit
> - create a file, say /etc/pki/ca-trust/source/your-cert-trust.p11-kit,
> containing a trust assertion, something like:
> class: x-trust-assertion
> x-assertion-type: x-anchored-certificate
> x-purpose: "18.104.22.168.22.214.171.124.1"
> -----BEGIN CERTIFICATE-----
> -----END CERTIFICATE-----
> Daiki Ueno
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the p11-glue