I/O Concepts: Cost Reduction through Innovation

How to Import an SSL Certificate

In order to use SSL with your client API program, you need to install your server's certificate in the key store used by your client application. To import a certficate you need to get it in the form of a text file. This page describes the trust store and shows you how to add your self-signed certificate to those trusted by the Java™ virtual machine.

Note

Before you start working with certificates, make sure that all of your computer's clocks are set correctly. Certificates are only valid between specific start and end dates, so discrepancies between clocks can lead computers to disagree on whether a certificate is valid or not.

About the Client-Side Trust Store

In your JDK installation directory you should find a file named.../jre/lib/security/cacerts. This file is the trust store that is used by the SSL implementation that Sun delivers with JDK 1.4. It is a key store file that contains certificates only, no private keys.

If you like, you can use Sun's keytool utility to list the contents of the cacerts file. Open a command prompt and cd to the .../jre/lib/security in your JDK installation directory. Be sure the JDK bin directory is on your path, then type the command

keytool -list -keystore cacerts -storepass changeit

... several lines of keytool output appear...

Notice that no "keyEntry" items are listed. This means that each certificate in cacerts is a trusted certificate, that is, there are no private keys associated with the certificates. (The certificate's owner retains the private key.)

The cacerts file contains all certificates that the JDK 1.4 JSSE implementation will trust. If the client connects to a server that presents a certificate that exists in the cacerts file then the client SSL implementation will accept the certificate and complete the connection. The client will also accept server certificates that are signed by a trusted Certificate Authority, such as Thwate or Verisign. However, if a server presents a certificate that meets neither of these critera then the client SSL implementation will refuse to complete the connection.

The Import Procedure

We will first make a backup copy of your existing cacerts file. Then, using the mycert.rfc file you created from your self-signed certificate, we will add your certificate to the original cacerts file so it will be trusted by Java's client SSL implementation. The backup copy of cacerts will allow you to restore the original cacerts when you have finished testing with your self-signed certificate.

Open a command prompt window and navigate to the .../jre/lib/security directory under your JDK 1.4 installation directory.
Make a backup copy of the cacerts file.
Add your certificate to cacerts with the following command:

keytool -import -alias mycert -file A:\mycert.rfc \
-keystore jssecacerts -storepass changeit

...keytool lists certificate information...
Trust this certificate? [no]: yes
Certificate added to keystore

Now you can list the contents of your cacerts trust store ( as described above) and verify that your certificate is trusted