Importing a Certificate to the Java cacerts file
Daiki Ueno
dueno at redhat.com
Thu May 25 13:11:20 UTC 2017
Hello,
Allen Barnett <allenbarnett5 at gmail.com> writes:
> /usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors
> --overwrite --purpose server-auth $DEST/java/cacerts
[...]
> Is there some way I can diagnose why p11-kit extract doesn't add my
> certificate to java/cacerts? I ran it under strace and it definitely
> opens and reads the PEM file. So, perhaps there's something about the
> certificate itself that doesn't meet some criterion of p11-kit?
I would suggest to check if the filter condition given to "p11-kit
extract" matches your certificate, by using the "trust list" command:
trust list --filter=ca-anchors --purpose server-auth
If it doesn't include your certificate, then it's likely that the
certificate doesn't have sufficient attributes. In that case, you could
attach them by doing:
- add the certificate using "trust anchor" command, rather than copying
the file directly into /etc/pki/ca-trust/source/anchors. The command
will create /etc/pki/ca-trust/source/your-cert.p11-kit
- create a file, say /etc/pki/ca-trust/source/your-cert-trust.p11-kit,
containing a trust assertion, something like:
[p11-kit-object-v1]
class: x-trust-assertion
x-assertion-type: x-anchored-certificate
x-purpose: "1.3.6.1.5.5.7.3.1"
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
cf:
http://nmav.gnutls.org/2016/06/restricting-scope-of-ca-certificates.html
https://p11-glue.freedesktop.org/doc/pkcs11-trust-assertions/
Regards,
--
Daiki Ueno
More information about the p11-glue
mailing list