Would you prefer a black belt in certificate authorities do this for you?

Subscribers click here.

Security Resources

Issue Tracker - Security

Need more help? Learn about
Oracle Java Support subscriptions

How to deal with certificates from non-trusted Certificate Authorities


Applies To

Java SE JDK and JRE - Version 7 and later
Any platform


Introduction

Java’s cacerts truststore includes the root certificates of some well known public Certificate Authorities (CA). Certificates issued by those CAs are trusted.

Unfortunately there are situations where applications cannot be signed with a trusted certificate. Large corporations and government authorities frequently run their own certificate authorities. Some countries require their applications to be signed by a national CA which is only available in that particular country. Such corporate or governmental CAs are not recognized by Java as trusted Certificate Authorities since their root certificates are not included in Java’s cacerts truststore.

What possibilities exist to make a corporate or governmental CA a trusted CA in my environment?


Solution

There are four ways to handle a certificate obtained from a non-trusted certificate authority. Java considers a CA as trusted if its root certificate is inserted in the trusted keystore named cacerts. The location of this file depends on the JDK release and operating system:

Windows

  • JDK 7 and 8: <JDK_HOME>\jre\lib\security
  • JDK 11 and up: <JDK_HOME>\lib\security

Other Operating Systems

  • <JDK_HOME>/lib/security

  1. It is possible to add additional root certificates to the cacerts file using the keytool -importcert command. Warning! After each Java update, the cacerts file gets overwritten and you will have to re-insert the additional root certificates. For this reason, it is not recommended that you modify the cacerts keystore.

  2. A better approach would be to insert a root certificate into a user or system level certificate store. Please refer to the documentation of your OS for directions on how to achieve this.

  3. Another alternative is to insert a root certificate into the browser’s trusted keystores. This is browser-specific so please refer to the documentation of your browser for directions on how to achieve this. Usually the easiest way is to point the browser to the location of the root certificate PEM file. The browser should recognize it and ask you where to store it. Make sure you insert the new trusted root certificate into the appropriate keystore for trusted root certificates. In order to make use of the browser keystore in Java, it is essential that you tick the checkbox “Use certificates and keys” under “Advanced Security Settings” under the “Advanced” tab in the Java control panel.

  4. A long-term solution would be for a non-trusted CA to become a trusted CA. Please see “Including Certificate Authority Root Certificates in Java” for details of the program.


Last reviewed on Sat Feb 01 2025 00:00:00 GMT+0000 (Coordinated Universal Time)