How do I find out what keystore my JVM is using?

I need to import a certificate into my JVM keystore. I am using the following:

keytool -import -alias daldap -file somecert.cer

so I would need to probably change my call into something like:

keytool -import -alias daldap -file somecert.cer -keystore cacerts –storepass changeit

Your keystore will be in your JAVA_HOME---> JRE -->lib---> security--> cacerts. You need to check where your JAVA_HOME is configured, possibly one of these places,

1. Computer--->Advanced --> Environment variables---> JAVA_HOME

2. Your server startup batch files.

In your import command -keystore cacerts (give full path to the above JRE here instead of just saying cacerts).

Keystore Location

Each keytool command has a -keystore option for specifying the name and location of the persistent keystore file for the keystore managed by keytool. The keystore is by default stored in a file named .keystore in the user's home directory, as determined by the "user.home" system property. Given user name uName, the "user.home" property value defaults to

C:\Users\uName on Windows 7 systems
C:\Winnt\Profiles\uName on multi-user Windows NT systems
C:\Windows\Profiles\uName on multi-user Windows 95 systems
C:\Windows on single-user Windows 95 systems

Thus, if the user name is "cathy", "user.home" defaults to

C:\Users\cathy on Windows 7 systems
C:\Winnt\Profiles\cathy on multi-user Windows NT systems
C:\Windows\Profiles\cathy on multi-user Windows 95 systems

https://docs.oracle.com/en/java/javase/17/docs/specs/man/keytool.html#importing-a-certificate-for-the-ca

Mac OS X 10.12 with Java 1.8:

$JAVA_HOME/jre/lib/security

cd $JAVA_HOME

/Library/Java/JavaVirtualMachines/jdk1.8.0_40.jdk/Contents/Home

From there it's in:

./jre/lib/security

I have a cacerts keystore in there.

To specify this as a VM option:

-Djavax.net.ssl.trustStore=/Library/Java/JavaVirtualMachines/jdk1.8.0_40.jdk/Contents/Home/jre/lib/security/cacerts -Djavax.net.ssl.trustStorePassword=changeit

I'm not saying this is the correct way (Why doesn't java know to look within JAVA_HOME?), but this is what I had to do to get it working.

You can find it in your "Home" directory:

On Windows 7:

C:\Users\<YOUR_ACCOUNT>\.keystore

On Linux (Ubuntu):

/home/<YOUR_ACCOUNT>/.keystore

This works for me:

#! /bin/bash

CACERTS=$(readlink -e $(dirname $(readlink -e $(which keytool)))/../lib/security/cacerts)
if keytool -list -keystore $CACERTS -storepass changeit > /dev/null ; then
echo $CACERTS
else
echo 'Can not find cacerts file.' >&2
exit 1
fi

Only for Linux. My Solaris has no readlink. In the end I used this Perl-Script:

#! /usr/bin/env perl
use strict;
use warnings;
use Cwd qw(realpath);
$_ = realpath((grep {-x && -f} map {"$/keytool"} split(':', $ENV{PATH}))[0]);
die "Can not find keytool" unless defined $;
my $keytool = $;
print "Using '$keytool'.\n";
s/keytool$//;
$ = realpath($_ . '../lib/security/cacerts');
die "Can not find cacerts" unless -f $;
my $cacerts = $;
print "Importing into '$cacerts'.\n";
#! /usr/bin/env perl
use strict;
use warnings;
use Cwd qw(realpath);
$_ = realpath((grep {-x && -f} map {"$/keytool"} split(':', $ENV{PATH}))[0]);
die "Can not find keytool" unless defined $;
my $keytool = $;
print "Using '$keytool'.\n";
s/keytool$//;
$ = realpath($_ . '../lib/security/cacerts');
die "Can not find cacerts" unless -f $;
my $cacerts = $;
print "Importing into '$cacerts'.\n";
$keytool -list -keystore "$cacerts" -storepass changeit;
die "Can not read key container" unless $? == 0;
exit if $ARGV[0] eq '-d';
foreach (@ARGV) {
my $cert = $;
s/.[^.]+$//;
my $alias = $;
print "Importing '$cert' as '$alias'.\n";
keytool -importcert -file "$cert" -alias "$alias" -keystore "$cacerts" -storepass changeit;
warn "Can not import certificate: $?" unless $? == 0;
}
;
die "Can not read key container" unless $? == 0;
exit if $ARGV[0] eq '-d';
foreach (@ARGV) {
my $cert = $;
s/.[^.]+$//;
my $alias = $;
print "Importing '$cert' as '$alias'.\n";
#! /usr/bin/env perl
use strict;
use warnings;
use Cwd qw(realpath);
$_ = realpath((grep {-x && -f} map {"$/keytool"} split(':', $ENV{PATH}))[0]);
die "Can not find keytool" unless defined $;
my $keytool = $;
print "Using '$keytool'.\n";
s/keytool$//;
$ = realpath($_ . '../lib/security/cacerts');
die "Can not find cacerts" unless -f $;
my $cacerts = $;
print "Importing into '$cacerts'.\n";
#! /usr/bin/env perl
use strict;
use warnings;
use Cwd qw(realpath);
$_ = realpath((grep {-x && -f} map {"$/keytool"} split(':', $ENV{PATH}))[0]);
die "Can not find keytool" unless defined $;
my $keytool = $;
print "Using '$keytool'.\n";
s/keytool$//;
$ = realpath($_ . '../lib/security/cacerts');
die "Can not find cacerts" unless -f $;
my $cacerts = $;
print "Importing into '$cacerts'.\n";
$keytool -list -keystore "$cacerts" -storepass changeit;
die "Can not read key container" unless $? == 0;
exit if $ARGV[0] eq '-d';
foreach (@ARGV) {
my $cert = $;
s/.[^.]+$//;
my $alias = $;
print "Importing '$cert' as '$alias'.\n";
keytool -importcert -file "$cert" -alias "$alias" -keystore "$cacerts" -storepass changeit;
warn "Can not import certificate: $?" unless $? == 0;
}
;
die "Can not read key container" unless $? == 0;
exit if $ARGV[0] eq '-d';
foreach (@ARGV) {
my $cert = $;
s/.[^.]+$//;
my $alias = $;
print "Importing '$cert' as '$alias'.\n";
keytool -importcert -file "$cert" -alias "$alias" -keystore "$cacerts" -storepass changeit;
warn "Can not import certificate: $?" unless $? == 0;
}
;
warn "Can not import certificate: $?" unless $? == 0;
}

On Debian, using openjdk version "1.8.0_212", I found cacerts here:

 /etc/ssl/certs/java/cacerts

Sure would be handy if there was a standard command that would print out this path.

As DimtryB mentioned, by default the keystore is under the user directory. But if you are trying to update the cacerts file, so that the JVM can pick the keys, then you will have to update the cacerts file under jre/lib/security. You can also view the keys by executing the command keytool -list -keystore cacerts to see if your certificate is added.

For me using the official OpenJDK 12 Docker image, the location of the Java keystore was:

/usr/java/openjdk-12/lib/security/cacerts

We encountered this issue on a Tomcat running from a jre directory that was (almost fully) removed after an automatic jre update, so that the running jre could no longer find jre.../lib/security/cacerts because it no longer existed.

Restarting Tomcat (after changing the configuration to run from the different jre location) fixed the problem.

In addition to all answers above:

If updating the cacerts file in JRE directory doesn't help, try to update it in JDK.

C:\Program Files\Java\jdk1.8.0_192\jre\lib\security