Using Mozilla's Certificate Authority List for Java SSL Once a new certificate has been approved it causes it to be way into the NSS (Network security Services) libraries which in turn is precisely what FireFox as well as other software use in order to determine if they are usually in a position to trust a particular cert. you could additionally potentially use openssl to change your PEM file in order to PKCS12 after which import it utilizing java's keytool executable. Here's a new shell script which builds the a new java keystore out with the mozilla reliable certificate authority list.
#!/bin/sh
curl -o certdata.txt 'https://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1'
perl mk-ca-bundle.pl -n > ca-bundle.crt
java -jar keyutil-0.4.0.jar --import --new-keystore trustStore.jks --password changeit --import-pem-file ca-bundle.crt Now you can specify the particular JVM arguments to have it use the new SSL certificate authority file: -Djavax.net.ssl.trustStore=/path/to/trustStore.jks If a person specified the password other than changeit you may likewise need to pass through the actual password to the JVM arguments: -Djavax.net.ssl.trustStorePassword=yourPassword . We will use one extra utility known as keyutil to transform your certificate file into a JKS (java keystore) file format. the certificates can become found within the NSS supply code: here. Lots of linux /open supply software utilizes Mozilla's listing Santa Certificates of qualification authorities, nearly all notably is curl -- they've in addition built a new good utility to be able to seize mozilla's supply code and create a PEM file referred for you to as mk-ca-bundle.
So we can use this utility to always be able to create a file that can replace the particular cacerts file which java ships with. Oracle really does a new update the particular cacerts file each and also every thus often, however they by no means seam to become as up to date like a browser such as FireFox. Mozilla, the folks that make FireFox and other great web software use a rigorous process pertaining to approving qualification signing authorities before allowing their software for you to have confidence in your certificates they will sign.
Every so frequently anyone run into an issue where you have to import a document signing authority's qualification in to Java's cacerts document authority file