Importing certificates into keystores

== Import Root and Intermediate Certificate into Java TrustStore ==

For certain constellations, for example when [[connecting to an LDAP server>>doc:Formcycle.UserInterface.UserSettings.LDAP]], it may be necessary to import the root certificate or the root and intermediate certificates used to create the other server's certificate into the Java TrustStore.

6

7

=== Java TrustStore ===

8

9

The Java TrustStore contains all root certificates trusted by a Java installation. It should be noted that for systems with multiple Java versions installed, the TrustStore of the Java used by the application server running {{formcycle/}} is used. For example, a full path might look like this:

10

11

12

"C:\Program Files\AdoptOpenJDK\jdk-11.0.9.101-hotspot\lib\security\cacerts"

13

14

15

It should also be noted that the path can be significantly different depending on the operating system environment and the installation type of the Java used. Particularly under Linux, the Java installation folder sometimes only refers to the real location of the TrustStore with a symbolic link. The file name of the TrustStore is usually {{code language="none"}}cacerts{{/code}}.

16

17

Unless the password has been changed, the default password {{code language="none"}}changeit{{/code}} is used for the Java TrustStore in most environments.

18

19

The following section discusses two ways in which root and intermediate certificates can be imported into the TrustStore of a Java installation.

20

21

=== Import with keytool ===

22

23

For this the tool //keytool// is used, which is normally provided by the used Java installation in the //bin// directory.

24

25

When the tool is called, the following parameters are used, which must be adapted to the specific environment:

26

27

; "Alias name of the certificate"

28

: Alias used in the TrustStore for the certificate. This can be freely selected, but there must not already be another certificate with the same alias in the TrustStore.

29

; "certificate.cer"

30

: Name of (and if necessary path to) the certificate to import

31

; "Path-to-certificate-store"

32

: Full path to the [[Java TrustStore>>doc:||anchor="HJavaTrustStore"]]

33

34

Der auszuführende Befehl lautet:

35

36

37

keytool -importcert -trustcacerts -alias "Alias name of the certificate" -file "certificate.cer" -keystore "Path-to-certificate-store"

38

39

40

=== Import with KeyStore Explorer ===

41

42

The //KeyStore Explorer// is a graphical tool running under Java for creating and editing keystores of various types. It should be noted that the //KeyStore Explorer// must be started with sufficient rights to have read and write access to the TrusStore. After the //KeyStore Explorer// has been started, the following steps must be performed:

43

44

First, the TrustStore must be opened in //KeyStore Explorer//. This is done via the button //Open an existing KeyStore//:

45

46

[[image:TrustStore_KeyStore_Explorer_en_1.png]]

47

48

49

In the dialog that opens, the TrustStore to be used must be selected. Then another dialog opens in which the password of the TrustStore must be entered:

50

51

[[image:TrustStore_KeyStore_Explorer_en_2.png]]

52

53

54

Subsequently, a list with all certificates contained in the TrustStore is displayed in //KeyStore Explorer//. Now click on //Tools {{rarrow/}} Import Trusted Certificate// in the menu and select the certificate to be imported in the dialog that then opens:

55

56

[[image:TrustStore_KeyStore_Explorer_en_3.png]]

57

58

59

A dialog then opens in which the alias name must be entered under which the certificate will be stored in the TrustStore, whereby the essential requirement for this alias is that there is not already another certificate in the TrustStore that uses the same alias:

60

61

[[image:TrustStore_KeyStore_Explorer_en_4.png]]

62

63

64

After that, the message should appear that the certificate has been imported successfully. Now the changes to the TrustStore only have to be saved, which is done via the //Save// icon in the interface or via the menu under //File {{rarrow/}} Save//. If it turns out at this point that the //KeyStore Explorer// does not have write permissions for the TrustStore, it can first be saved to a different location using the //File {{rarrow/}} Save As// menu option and then manually moved to the correct location by a user with the appropriate permissions.

65

66

=== Import of intermediate certificates ===

67

68

If the certificate to be trusted was issued via an intermediate certificate, this may also have to be imported. This is necessary if this intermediate certificate is not provided by the server with which the connection is to be established. The import is performed in the same way as for the root certificate with the above instructions and correspondingly adapted parameters for alias and the file name or path of the intermediate certificate.

Wiki source code of Zertifikate in Keystores importieren

Navigation

author	version	line-number	content
		1	{{content/}}
		2
		3	== Import Root and Intermediate Certificate into Java TrustStore ==
		4
		5	For certain constellations, for example when [[connecting to an LDAP server>>doc:Formcycle.UserInterface.UserSettings.LDAP]], it may be necessary to import the root certificate or the root and intermediate certificates used to create the other server's certificate into the Java TrustStore.
		6
		7	=== Java TrustStore ===
		8
		9	The Java TrustStore contains all root certificates trusted by a Java installation. It should be noted that for systems with multiple Java versions installed, the TrustStore of the Java used by the application server running {{formcycle/}} is used. For example, a full path might look like this:
		10
		11	{{code language="none"}}
		12	"C:\Program Files\AdoptOpenJDK\jdk-11.0.9.101-hotspot\lib\security\cacerts"
		13	{{/code}}
		14
		15	It should also be noted that the path can be significantly different depending on the operating system environment and the installation type of the Java used. Particularly under Linux, the Java installation folder sometimes only refers to the real location of the TrustStore with a symbolic link. The file name of the TrustStore is usually {{code language="none"}}cacerts{{/code}}.
		16
		17	Unless the password has been changed, the default password {{code language="none"}}changeit{{/code}} is used for the Java TrustStore in most environments.
		18
		19	The following section discusses two ways in which root and intermediate certificates can be imported into the TrustStore of a Java installation.
		20
		21	=== Import with keytool ===
		22
		23	For this the tool //keytool// is used, which is normally provided by the used Java installation in the //bin// directory.
		24
		25	When the tool is called, the following parameters are used, which must be adapted to the specific environment:
		26
		27	; "Alias name of the certificate"
		28	: Alias used in the TrustStore for the certificate. This can be freely selected, but there must not already be another certificate with the same alias in the TrustStore.
		29	; "certificate.cer"
		30	: Name of (and if necessary path to) the certificate to import
		31	; "Path-to-certificate-store"
		32	: Full path to the [[Java TrustStore>>doc:\|\|anchor="HJavaTrustStore"]]
		33
		34	Der auszuführende Befehl lautet:
		35
		36	{{code}}
		37	keytool -importcert -trustcacerts -alias "Alias name of the certificate" -file "certificate.cer" -keystore "Path-to-certificate-store"
		38	{{/code}}
		39
		40	=== Import with KeyStore Explorer ===
		41
		42	The //KeyStore Explorer// is a graphical tool running under Java for creating and editing keystores of various types. It should be noted that the //KeyStore Explorer// must be started with sufficient rights to have read and write access to the TrusStore. After the //KeyStore Explorer// has been started, the following steps must be performed:
		43
		44	First, the TrustStore must be opened in //KeyStore Explorer//. This is done via the button //Open an existing KeyStore//:
		45
		46	[[image:TrustStore_KeyStore_Explorer_en_1.png]]
		47
		48
		49	In the dialog that opens, the TrustStore to be used must be selected. Then another dialog opens in which the password of the TrustStore must be entered:
		50
		51	[[image:TrustStore_KeyStore_Explorer_en_2.png]]
		52
		53
		54	Subsequently, a list with all certificates contained in the TrustStore is displayed in //KeyStore Explorer//. Now click on //Tools {{rarrow/}} Import Trusted Certificate// in the menu and select the certificate to be imported in the dialog that then opens:
		55
		56	[[image:TrustStore_KeyStore_Explorer_en_3.png]]
		57
		58
		59	A dialog then opens in which the alias name must be entered under which the certificate will be stored in the TrustStore, whereby the essential requirement for this alias is that there is not already another certificate in the TrustStore that uses the same alias:
		60
		61	[[image:TrustStore_KeyStore_Explorer_en_4.png]]
		62
		63
		64	After that, the message should appear that the certificate has been imported successfully. Now the changes to the TrustStore only have to be saved, which is done via the //Save// icon in the interface or via the menu under //File {{rarrow/}} Save//. If it turns out at this point that the //KeyStore Explorer// does not have write permissions for the TrustStore, it can first be saved to a different location using the //File {{rarrow/}} Save As// menu option and then manually moved to the correct location by a user with the appropriate permissions.
		65
		66	=== Import of intermediate certificates ===
		67
		68	If the certificate to be trusted was issued via an intermediate certificate, this may also have to be imported. This is necessary if this intermediate certificate is not provided by the server with which the connection is to be established. The import is performed in the same way as for the root certificate with the above instructions and correspondingly adapted parameters for alias and the file name or path of the intermediate certificate.