Importing a Certificate to the Java cacerts file

Allen Barnett allenbarnett5 at gmail.com
Wed Jun 14 17:20:53 UTC 2017


Hi Daiki: Your hints were right on the money. I was able to make my
certificate permanent by:
1. Running "trust anchor /path/to/mycert.pem"
2. Editing "/etc/pki/ca-trust/source/mycert.p11-kit" and changing one line:
certificate-category: other-entry
to
certificate-category: authority

With that change, "trust list ..." displayed my server and update-ca-trust
added my server cert to the java cacerts file.

Thanks so much!
Allen

On Thu, May 25, 2017 at 9:11 AM, Daiki Ueno <dueno at redhat.com> wrote:

> Hello,
>
> Allen Barnett <allenbarnett5 at gmail.com> writes:
>
> > /usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors
> > --overwrite --purpose server-auth $DEST/java/cacerts
>
> [...]
>
> > Is there some way I can diagnose why p11-kit extract doesn't add my
> > certificate to java/cacerts? I ran it under strace and it definitely
> > opens and reads the PEM file. So, perhaps there's something about the
> > certificate itself that doesn't meet some criterion of p11-kit?
>
> I would suggest to check if the filter condition given to "p11-kit
> extract" matches your certificate, by using the "trust list" command:
>
>   trust list --filter=ca-anchors --purpose server-auth
>
> If it doesn't include your certificate, then it's likely that the
> certificate doesn't have sufficient attributes.  In that case, you could
> attach them by doing:
>
> - add the certificate using "trust anchor" command, rather than copying
>   the file directly into /etc/pki/ca-trust/source/anchors.  The command
>   will create /etc/pki/ca-trust/source/your-cert.p11-kit
>
> - create a file, say /etc/pki/ca-trust/source/your-cert-trust.p11-kit,
>   containing a trust assertion, something like:
>
>   [p11-kit-object-v1]
>   class: x-trust-assertion
>   x-assertion-type: x-anchored-certificate
>   x-purpose: "1.3.6.1.5.5.7.3.1"
>   -----BEGIN CERTIFICATE-----
>   ...
>   -----END CERTIFICATE-----
>
> cf:
>
> http://nmav.gnutls.org/2016/06/restricting-scope-of-ca-certificates.html
> https://p11-glue.freedesktop.org/doc/pkcs11-trust-assertions/
>
> Regards,
> --
> Daiki Ueno
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/p11-glue/attachments/20170614/5345a2b2/attachment.html>


More information about the p11-glue mailing list