Importing a Certificate to the Java cacerts file

Allen Barnett allenbarnett5 at
Mon May 1 11:30:33 UTC 2017

Hi: I'd appreciate some guidance. I'm running RHEL 7, which includes 0.20.7
of p11-kit,  and I'm trying to import a certificate for one of my company's
HTTPS servers. It needs to go into the java cacerts file so a Java
application can find the certificate. On RHEL 7, the "update-ca-trust"
command does:

/usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors
--overwrite --purpose server-auth $DEST/java/cacerts

I extracted the server's certificate from Firefox's https connection (I
also tried retrieving it with openssl s_client, Internet Explorer and
Chrome; they all produce the same PEM file). I dropped the file in
/etc/pki/ca-trust/source/anchors/ and ran the update-ca-trust command. But,
the /etc/pki/ca-trust/extracted/java/cacerts file so created did not
contain my certificate.

If I add my certificate directly to java/cacerts with the java keytool

keytool -import -trustcacerts -keystore
/etc/pki/ca-trust/extracted/java/cacerts -file my.cert

it works OK. I can access the site with Java commands. However, the next
time RHEL runs update-ca-trust, it overwrites java/cacerts and I lose my
certificate installation.

Is there some way I can diagnose why p11-kit extract doesn't add my
certificate to java/cacerts? I ran it under strace and it definitely opens
and reads the PEM file. So, perhaps there's something about the certificate
itself that doesn't meet some criterion of p11-kit?

Thanks for your help!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the p11-glue mailing list