Add Certificate to Java Truststore
Adding a custom certificate or a certificate authority (CA) to the Java truststore is commonly required to be able to access HTTPS endpoints using your organization’s internal certificate authorities.
To determine which certificate to export, consider the following:
-
Root Certificate Authority (CA) (recommended): Trusts all certificates issued by that CA, making it the most future-proof choice for organizational certificate authorities.
-
Entire certificate chain: Includes all intermediate certificates and provides complete validation path, useful for complex certificate hierarchies or troubleshooting.
If you prefer a tool with a graphical interface instead, you can use KeyStore Explorer, an open source replacement for the Java command-line utilities keytool and jarsigner. For details, refer to the KeyStore Explorer documentation.
How to add a certificate to the Java truststore
To add a new certificate to the Java truststore:
-
Export the certificate from your web browser.
-
In your browser, open the HTTPS URL from which you want to export the certificate.
The specific instructions might differ for your browser and browser version. -
In Google Chrome:
-
Select the tune icon (View site information) in the address bar, to the left of the site URL.
-
Select Connection is secure > Show certificate.
-
On the Details tab, select the certificate you want to export (root CA or specific certificate).
-
Select Export and save the file.
-
-
In Mozilla Firefox:
-
Select the padlock icon in the address bar, to the left of the site URL.
-
Select Connection secure > More information.
-
Select View Certificate.
-
Find the certificate you want to export (root CA or specific certificate).
-
In the certificate Miscellaneous section, select Download next to the certificate.
-
-
-
-
Locate the Java truststore file in your ONE Desktop installation, typically
jre/lib/security/cacerts
. The default password ischangeit
.Create a backup of the original
cacerts
file before making any changes:cp jre/lib/security/cacerts jre/lib/security/cacerts.backup
-
Import the certificate using the Java keytool.
-
Navigate to
jre/bin
directory in your ONE Desktop installation and open the terminal. -
Run the following command:
keytool -import -alias your-cert-alias -keystore ../lib/security/cacerts -file path/to/your-certificate.cer -storepass <storepass(default: changeit)> -noprompt
Replace your-cert-alias
with a descriptive name and update the file path. The certificate file has extensions like.cer
,.pem
, or.crt
depending on your browser. -
When prompted, enter the truststore password (
changeit
). -
Type
yes
when asked to trust the certificate.
-
-
Optionally, verify the import using the following command.
keytool -list -keystore ../lib/security/cacerts -alias your-cert-alias
If successful, the output displays certificate details including the alias, creation date, and certificate information:
your-cert-alias, Jan 15, 2025, trustedCertEntry, Certificate fingerprint (SHA-256): A1:B2:C3:D4...
If the certificate was not imported successfully, an error is shown instead:
Alias <your-cert-alias> does not exist
. In that case, choose a different alias name or remove the existing one first.Here are some other common errors you might encounter:
-
If certificate already exists: It might already be imported. Verify with the
list
command. -
If file format error: Re-export the certificate in a different format.
-
If permission denied: Run the command as administrator or
sudo
user.
-
Was this page useful?