How do I find out what keystore my JVM is using?
JavaJvmKeytoolJava Problem Overview
I need to import a certificate into my JVM keystore. I am using the following:
keytool -import -alias daldap -file somecert.cer
so I would need to probably change my call into something like:
keytool -import -alias daldap -file somecert.cer -keystore cacerts –storepass changeit
Java Solutions
Solution 1 - Java
Your keystore will be in your JAVA_HOME---> JRE -->lib---> security--> cacerts
. You need to check where your JAVA_HOME is configured, possibly one of these places,
-
Computer--->Advanced --> Environment variables---> JAVA_HOME
-
Your server startup batch files.
In your import command -keystore cacerts (give full path to the above JRE here instead of just saying cacerts).
Solution 2 - Java
Keystore Location
Each keytool command has a -keystore
option for specifying the name and location of the persistent keystore file for the keystore managed by keytool. The keystore is by default stored in a file named .keystore
in the user's home directory, as determined by the "user.home" system property. Given user name uName, the "user.home" property value defaults to
C:\Users\uName on Windows 7 systems
C:\Winnt\Profiles\uName on multi-user Windows NT systems
C:\Windows\Profiles\uName on multi-user Windows 95 systems
C:\Windows on single-user Windows 95 systems
Thus, if the user name is "cathy", "user.home" defaults to
C:\Users\cathy on Windows 7 systems
C:\Winnt\Profiles\cathy on multi-user Windows NT systems
C:\Windows\Profiles\cathy on multi-user Windows 95 systems
Solution 3 - Java
Mac OS X 10.12 with Java 1.8:
$JAVA_HOME/jre/lib/security
cd $JAVA_HOME
/Library/Java/JavaVirtualMachines/jdk1.8.0_40.jdk/Contents/Home
From there it's in:
./jre/lib/security
I have a cacerts keystore in there.
To specify this as a VM option:
-Djavax.net.ssl.trustStore=/Library/Java/JavaVirtualMachines/jdk1.8.0_40.jdk/Contents/Home/jre/lib/security/cacerts -Djavax.net.ssl.trustStorePassword=changeit
I'm not saying this is the correct way (Why doesn't java know to look within JAVA_HOME?), but this is what I had to do to get it working.
Solution 4 - Java
You can find it in your "Home" directory:
On Windows 7:
C:\Users\<YOUR_ACCOUNT>\.keystore
On Linux (Ubuntu):
/home/<YOUR_ACCOUNT>/.keystore
Solution 5 - Java
This works for me:
#! /bin/bashCACERTS=$(readlink -e $(dirname $(readlink -e $(which keytool)))/../lib/security/cacerts)
if keytool -list -keystore $CACERTS -storepass changeit > /dev/null ; then echo $CACERTS else echo 'Can not find cacerts file.' >&2 exit 1 fi
Only for Linux. My Solaris has no readlink. In the end I used this Perl-Script:
#! /usr/bin/env perl
use strict;
use warnings;
use Cwd qw(realpath);
$_ = realpath((grep {-x && -f} map {"$/keytool"} split(':', $ENV{PATH}))[0]);
die "Can not find keytool" unless defined $;
my $keytool = $;
print "Using '$keytool'.\n";
s/keytool$//;
$ = realpath($_ . '../lib/security/cacerts');
die "Can not find cacerts" unless -f $;
my $cacerts = $;
print "Importing into '$cacerts'.\n";
#! /usr/bin/env perl
use strict;
use warnings;
use Cwd qw(realpath);
$_ = realpath((grep {-x && -f} map {"$/keytool"} split(':', $ENV{PATH}))[0]);
die "Can not find keytool" unless defined $;
my $keytool = $;
print "Using '$keytool'.\n";
s/keytool$//;
$ = realpath($_ . '../lib/security/cacerts');
die "Can not find cacerts" unless -f $;
my $cacerts = $;
print "Importing into '$cacerts'.\n";
$keytool -list -keystore "$cacerts" -storepass changeit;
die "Can not read key container" unless $? == 0;
exit if $ARGV[0] eq '-d';
foreach (@ARGV) {
my $cert = $;
s/.[^.]+$//;
my $alias = $;
print "Importing '$cert' as '$alias'.\n";
keytool -importcert -file "$cert" -alias "$alias" -keystore "$cacerts" -storepass changeit;
warn "Can not import certificate: $?" unless $? == 0;
}
;
die "Can not read key container" unless $? == 0;
exit if $ARGV[0] eq '-d';
foreach (@ARGV) {
my $cert = $;
s/.[^.]+$//;
my $alias = $;
print "Importing '$cert' as '$alias'.\n";
#! /usr/bin/env perl
use strict;
use warnings;
use Cwd qw(realpath);
$_ = realpath((grep {-x && -f} map {"$/keytool"} split(':', $ENV{PATH}))[0]);
die "Can not find keytool" unless defined $;
my $keytool = $;
print "Using '$keytool'.\n";
s/keytool$//;
$ = realpath($_ . '../lib/security/cacerts');
die "Can not find cacerts" unless -f $;
my $cacerts = $;
print "Importing into '$cacerts'.\n";
#! /usr/bin/env perl
use strict;
use warnings;
use Cwd qw(realpath);
$_ = realpath((grep {-x && -f} map {"$/keytool"} split(':', $ENV{PATH}))[0]);
die "Can not find keytool" unless defined $;
my $keytool = $;
print "Using '$keytool'.\n";
s/keytool$//;
$ = realpath($_ . '../lib/security/cacerts');
die "Can not find cacerts" unless -f $;
my $cacerts = $;
print "Importing into '$cacerts'.\n";
$keytool -list -keystore "$cacerts" -storepass changeit;
die "Can not read key container" unless $? == 0;
exit if $ARGV[0] eq '-d';
foreach (@ARGV) {
my $cert = $;
s/.[^.]+$//;
my $alias = $;
print "Importing '$cert' as '$alias'.\n";
keytool -importcert -file "$cert" -alias "$alias" -keystore "$cacerts" -storepass changeit;
warn "Can not import certificate: $?" unless $? == 0;
}
;
die "Can not read key container" unless $? == 0;
exit if $ARGV[0] eq '-d';
foreach (@ARGV) {
my $cert = $;
s/.[^.]+$//;
my $alias = $;
print "Importing '$cert' as '$alias'.\n";
keytool -importcert -file "$cert" -alias "$alias" -keystore "$cacerts" -storepass changeit;
warn "Can not import certificate: $?" unless $? == 0;
}
;
warn "Can not import certificate: $?" unless $? == 0;
}
Solution 6 - Java
On Debian, using openjdk version "1.8.0_212", I found cacerts here:
/etc/ssl/certs/java/cacerts
Sure would be handy if there was a standard command that would print out this path.
Solution 7 - Java
As DimtryB mentioned, by default the keystore is under the user directory. But if you are trying to update the cacerts
file, so that the JVM can pick the keys, then you will have to update the cacerts
file under jre/lib/security
. You can also view the keys by executing the command keytool -list -keystore cacerts
to see if your certificate is added.
Solution 8 - Java
For me using the official OpenJDK 12 Docker image, the location of the Java keystore was:
/usr/java/openjdk-12/lib/security/cacerts
Solution 9 - Java
We encountered this issue on a Tomcat running from a jre directory that was (almost fully) removed after an automatic jre update, so that the running jre could no longer find jre.../lib/security/cacerts because it no longer existed.
Restarting Tomcat (after changing the configuration to run from the different jre location) fixed the problem.
Solution 10 - Java
In addition to all answers above:
If updating the cacerts file in JRE directory doesn't help, try to update it in JDK.
C:\Program Files\Java\jdk1.8.0_192\jre\lib\security