User Community Service Desk Downloads

Add Certificate to Java Truststore

Adding a custom certificate or a certificate authority (CA) to the Java truststore is commonly required to be able to access HTTPS endpoints using your organization’s internal certificate authorities.

To determine which certificate to export, consider the following:

  • Root Certificate Authority (CA) (recommended): Trusts all certificates issued by that CA, making it the most future-proof choice for organizational certificate authorities.

  • Entire certificate chain: Includes all intermediate certificates and provides complete validation path, useful for complex certificate hierarchies or troubleshooting.

If you prefer a tool with a graphical interface instead, you can use KeyStore Explorer, an open source replacement for the Java command-line utilities keytool and jarsigner. For details, refer to the KeyStore Explorer documentation.

How to add a certificate to the Java truststore

To add a new certificate to the Java truststore:

  1. Export the certificate from your web browser.

    1. In your browser, open the HTTPS URL from which you want to export the certificate.

      The specific instructions might differ for your browser and browser version.
      • In Google Chrome:

        1. Select the tune icon (View site information) in the address bar, to the left of the site URL.

        2. Select Connection is secure > Show certificate.

        3. On the Details tab, select the certificate you want to export (root CA or specific certificate).

        4. Select Export and save the file.

      • In Mozilla Firefox:

        1. Select the padlock icon in the address bar, to the left of the site URL.

        2. Select Connection secure > More information.

        3. Select View Certificate.

        4. Find the certificate you want to export (root CA or specific certificate).

        5. In the certificate Miscellaneous section, select Download next to the certificate.

  2. Locate the Java truststore file in your ONE Desktop installation, typically jre/lib/security/cacerts. The default password is changeit.

    Create a backup of the original cacerts file before making any changes:

    cp jre/lib/security/cacerts jre/lib/security/cacerts.backup
  3. Import the certificate using the Java keytool.

    1. Navigate to jre/bin directory in your ONE Desktop installation and open the terminal.

    2. Run the following command:

      keytool -import -alias your-cert-alias -keystore ../lib/security/cacerts -file path/to/your-certificate.cer -storepass <storepass(default: changeit)> -noprompt
      Replace your-cert-alias with a descriptive name and update the file path. The certificate file has extensions like .cer, .pem, or .crt depending on your browser.
    3. When prompted, enter the truststore password (changeit).

    4. Type yes when asked to trust the certificate.

  4. Optionally, verify the import using the following command.

    keytool -list -keystore ../lib/security/cacerts -alias your-cert-alias

    If successful, the output displays certificate details including the alias, creation date, and certificate information:

    your-cert-alias, Jan 15, 2025, trustedCertEntry,
    Certificate fingerprint (SHA-256): A1:B2:C3:D4...

    If the certificate was not imported successfully, an error is shown instead: Alias <your-cert-alias> does not exist. In that case, choose a different alias name or remove the existing one first.

    Here are some other common errors you might encounter:

    • If certificate already exists: It might already be imported. Verify with the list command.

    • If file format error: Re-export the certificate in a different format.

    • If permission denied: Run the command as administrator or sudo user.

Was this page useful?