How to add or list certificates from keystore or truststore in Java? Keytool Example Tutorial

How to add certificates on keystore in Java is the primary question when you start working on SSL connection and a simple answer is keytool utility in Java is used to add or list Certificates into keystore. SSL is the industry standard for secure communication between two parties e.g. client and server. SSL offers two benefits, it encrypts data transferred between client and server to make it hard for someone to access and understand in between and SSL also verifies the identity of two parties in communication, and certificates are used for that purpose. SSL Setup in Java comes during various processes e.g. Setting up SSL on tomcat, configuring messaging over SSL, or JDBC over SSL are some examples of tasks where you need to deal with keyStore, certificates, and trust stores.

For those who are not aware of what is a keystore in Java and what is certificates, we will see a brief introduction in the next section, but for a more detailed discussion, you refer to my next post on how SSL, HTTPS, and Certificates work together in Java application.

And, If you are new to the Java world then I also recommend you go through The Complete Java MasterClass on Udemy to learn Java in a better and more structured way. This is one of the best and up-to-date courses to learn Java online.

And, here is a quick overview of truststore and keystore for you, we will see them in more detail in coming section. 

Basics of SSL Certificates and Keystore in Java

When we access a secure site that uses SSL for providing identity and encryption, it provides a certificate that was verified by trusted third-party sites like Verisign, GoDaddy, or Thwaite. 

By using certificates browser or java clients know that they talking to the correct site (who it claims to be) and not on redirected proxy site.

This step is pretty transparent if you access websites using a browser because if the certificate is not on the browser's trusted store it will ask you to add that certificate and it will be subsequently added, But when you access a secure site using Java program, this step of certificate handshaking is not transparent to user and certificates are verified from JRE's trustStore. T

his trustStore is located on the JDK Installation directory referred by JAVA_HOME like JAVA_HOME/jre/lib/security and commonly named "cacerts".

If the certificate provided by the secure site is present on JRE's trustStore SSL connection would be established but if the certificate is not there then Java will throw an exception and to solve that you need to add that certificate into trustStore.

Terms like keyStore and trustStore are often used interchangeably and the same file can act as keystore as well as trustStore it is just a matter of pointing javax.net.ssl.keyStore and javax.net.ssl.trustStore properties to that file but there is a slight difference between keystore and trustStore.

A keyStore is used to store individual identity or certificates while a trustStore is used to store other parties' certificates signed by CA. See the difference between keystore and trustStore, for more differences.

How to add, remove and list certificates from Java keystore?

In this article, we will see how to add, remove and list certificates from the Java keystore using the keytool utility.

keytool is binary located inside JAVA_HOME/jre/lib/security folder and used for adding, removing, and listing certificates. 

here is a step by step example of adding certificates in Java:

Example of listing certificates from Java Keystore:

Before adding new certificates in the keystore or trust store it's good to see, count, and verify already installed certificates. run following keytool command to get a list of certificates from keystore:

javin@localhost:C/Program Files/Java/jdk1.6.0_26/jre/lib/security keytool -list -keystore cacerts Enter keystore password:  changeit Keystore type: JKS Keystore provider: SUN Your keystore contains 76 entries digicertassuredidrootca, 07/01/2008, trustedCertEntry, Certificate fingerprint (MD5): 87:CE:0B:7B:2A:0E:49:00:E1:58:71:9B:37:A8:93:72 trustcenterclass2caii, 07/01/2008, trustedCertEntry, Certificate fingerprint (MD5): CE:78:33:5C:59:78:01:6E:18:EA:B9:36:A0:B9:2E:23

You see currently keystore "cacerts" holds 76 certificates. You can also see these Java Programming courses to learn more usages of keytool and other JDK command-line tools, and other Java fundamental concepts in a guided and structured way. 

Example of adding Certificate on Java KeyStore:

Now let's see an example of adding certificates into the key store in Java:

1. Get Certificate: easier way is to point your browser to that URL and when the certificate is presented save it on your

local folder or directory say in C:/certificates/test.cer

2. Now go to the Security folder of your JRE installation directory. id you have JDK installed then it would be

something like C:/Program Files/Java//jdk1.6.0_20/jre/lib/security

3 Execute following keytool command to insert certificate into keystore

keytool -import -keystore cacerts -file test.cer

Now this will print details about the certificate and ask you for confirmation of adding certificates:

Trust this certificate? [no]:  y

Certificate was added to keystore

if you approve it by typing "y" the certificate will be added to the keystore.

Trust this certificate? [no]:  n

Certificate was not added to keystore

if you decline it by typing "n" the certificate will not be added into the keystore.

if you cannot access a secure URL using the browser then you can use InstallCert by which you can add a certificate into keystore by the program. For detailed examples see the last section of LDAP authentication with SSL in Java and Spring security. I have provided detailed steps to use InstallCert.java tool.

Important points about SSL, KeyStore and keytool command in Java

1. Certificates are required to access secure sites using SSL protocol or making a secure connection from the client to the server.

2. JRE stores certificates inside keystore named as "cacerts" in folder C:/Program Files/Java//jdk1.6.0_20/jre/lib/security.

3. Common password of the keystore is "Changeit".

4. Keytool is used to access keystore in Java and by using keytool you can list, add certificates from keystore.

5. If you are implementing an SSL connection on the Server-side say Tomcat you need both keyStore and trustStore, both can be the same file, though. keyStore will be used to store server certificates which the server will present to the client on SSL connection.

That’s all on how to add and list certificates from keyStore or trustStore in java. The keytool utility which comes with JDK installation will help you to create an alias, list certificates, etc.

Other Java tutorials you may like:

• How to read from Memory Mapped file in Java
• 10 Java debugging tips from Eclipse IDE
• How to remote debug Java applications in Eclipse
• 10 Example of display tag in JSP and Spring
• 10 interview questions on the Spring framework
• How to convert HashMap to List in Java
• How to traverse Map in Java with 4 ways
• How to change the default port of Tomcat from 8080