Adding CACert to the Java Trusted Store

http://www.cacert.org/ is a great way to easily create free SSL certificates for development work. In order to successfully connect from Java program using SSL to a server carrying a certificate issued by CACert you need to “bless” the certiticate, or make it trusted by your your local Java JRE installation.

Let’s first make sure we are in the lib/security subdirectory of the currently running JRE:

> cd $JDK_HOME\jre\lib\security

Then, download the certificate file to your local computer:

$JDK_HOME\jre\lib\security> wget http://www.cacert.org/certs/root.crt
--2010-03-16 09:24:40--  http://www.cacert.org/certs/root.crt
Resolving www.cacert.org... 213.154.225.245
Connecting to www.cacert.org|213.154.225.245|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2569 (2.5K) [application/x-x509-ca-cert]
Saving to: `root.crt'
100%[======================================>] 2,569       15.4K/s   in 0.2s
2010-03-16 09:24:41 (15.4 KB/s) - `root.crt' saved [2569/2569]

Now let’s import the certificate into the JRE keystore (note the password of the default JRE keystore — it’s different on different platforms):

$JDK_HOME\jre\lib\security> keytool -import -keystore cacerts  -storepass changeit -alias cacert-root1 -trustcacerts -file root.crt Owner: EMAILADDRESS=support@cacert.org, CN=CA Cert Signing Authority, OU=http://www.cacert.org, O=Root CA
Issuer: EMAILADDRESS=support@cacert.org, CN=CA Cert Signing Authority, OU=http:/ /www.cacert.org, O=Root CA Serial number: 0 Valid from: Sun Mar 30 04:29:49 PST 2003 until: Tue Mar 29 05:29:49 PDT 2033 Certificate fingerprints: MD5:  A6:1B:37:5E:39:0D:9C:36:54:EE:BD:20:31:46:1F:6B SHA1: 13:5C:EC:36:F4:9C:B8:E9:3B:1A:B2:70:CD:80:88:46:76:CE:8F:33 Trust this certificate? [no]:  yes Certificate was added to keystore

Now you are ready to start sending Java SSL requests to your server.