Importing a Certificate to the Java cacerts file

Daiki Ueno dueno at
Thu May 25 13:11:20 UTC 2017


Allen Barnett <allenbarnett5 at> writes:

> /usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors
> --overwrite --purpose server-auth $DEST/java/cacerts


> Is there some way I can diagnose why p11-kit extract doesn't add my
> certificate to java/cacerts? I ran it under strace and it definitely
> opens and reads the PEM file. So, perhaps there's something about the
> certificate itself that doesn't meet some criterion of p11-kit?

I would suggest to check if the filter condition given to "p11-kit
extract" matches your certificate, by using the "trust list" command:

  trust list --filter=ca-anchors --purpose server-auth

If it doesn't include your certificate, then it's likely that the
certificate doesn't have sufficient attributes.  In that case, you could
attach them by doing:

- add the certificate using "trust anchor" command, rather than copying
  the file directly into /etc/pki/ca-trust/source/anchors.  The command
  will create /etc/pki/ca-trust/source/your-cert.p11-kit

- create a file, say /etc/pki/ca-trust/source/your-cert-trust.p11-kit,
  containing a trust assertion, something like:

  class: x-trust-assertion
  x-assertion-type: x-anchored-certificate
  x-purpose: ""


Daiki Ueno

More information about the p11-glue mailing list