The JRE (Java Runtime Environment) uses the file cacerts as trust base for the HTTPS connections to a server. You can substitute this trust base by the Mozilla CA, used e.g. in Firefox.
You will find a PEM file with all the Mozialla CA certificates at the CA certificates extracted from Mozilla site. As of the day of writing, the current file is cacert-2022-10-11.pem.
Download the current PEM file
$ chmod 644 cacert-2022-10-11.pem
$ wget --no-use-server-timestamps https://curl.se/ca/cacert-2022-10-11.pem.sha256
$ chmod 644 cacert-2022-10-11.pem.sha256
$ sha256sum --check cacert-2022-10-11.pem.sha256
cacert-2022-10-11.pem: OK
Import all certificates into a JKS keystore
$ mkdir certs
$ cd certs
#
$ awk '
BEGIN { n = 1; }
split_after == 1 { n++; split_after = 0 }
/-----END CERTIFICATE-----/ { split_after = 1 }
{ print > "cert" n ".pem" }' ../cacert-2022-10-11.pem
Import all certificate files into a JKS keystore
In this example, I use the name cacert-2022-10-11.jks and the password changeit. The password changeit is also the default password of the JRE file cacerts.
$ rm -fr ../cacert-2022-10-11.jks
$ for f in *.pem
do
echo "import certificate with alias $f"
keytool -importcert \
-keystore ../cacert-2022-10-11.jks \
-storepass changeit -storetype jks \
-noprompt -trustcacerts \
-alias $f -file $f -v
done
#
$ chmod 600 ../cacert-2022-10-11.jks
$ cd ..
$ rm -fr certs
Add a self-signed one-day only certificate
I add a self-signed one-day certificate to the JKS keystore. The "Valid from" entry of this certificate will then show the creation date and time of the keystore.
$ openssl req -new -x509 -nodes -newkey rsa:4096 -days 1 -keyout private.pem -out cert.pem -sha512 -subj "/C=DE/ST=Bavaria/L=Munich/OU=maroph/O=maroph@pm.me/CN=maroph's MozillaCA for JRE"
$ openssl x509 -noout -subject -startdate -enddate -in cert.pem
subject=C = DE, ST = Bavaria, L = Munich, OU = maroph, O = maroph@pm.me, CN = maroph's MozillaCA for JRE
notBefore=Nov 28 09:13:37 2022 GMT
notAfter=Nov 29 09:13:37 2022 GMT
$ keytool -list -keystore cacert-2022-10-11.jks -storepass changeit -alias maroph_mozilla_ca -v | head -15
Alias name: maroph_mozilla_ca
Creation date: Nov 28, 2022
Entry type: trustedCertEntry
Owner: CN=maroph's MozillaCA for JRE, O=maroph@pm.me, OU=maroph, L=Munich, ST=Bavaria, C=DE
Issuer: CN=maroph's MozillaCA for JRE, O=maroph@pm.me, OU=maroph, L=Munich, ST=Bavaria, C=DE
Serial number: 4f3d9b5e63d62831f681e0a9f5ae9d7af5b3a9cf
Valid from: Mon Nov 28 10:13:37 CET 2022 until: Tue Nov 29 10:13:37 CET 2022
Certificate fingerprints:
SHA1: 31:B7:6B:6A:CE:9E:64:0A:8A:36:35:90:CF:50:38:E5:83:65:C3:90
SHA256: AA:FB:C1:1E:58:27:AD:BF:50:15:21:13:DE:64:E1:E7:4B:DF:E2:16:E4:1F:5A:FD:12:68:87:97:62:09:4C:65
Signature algorithm name: SHA512withRSA
Subject Public Key Algorithm: 4096-bit RSA key
Version: 3
#
#
$ keytool -importcert -keystore cacert-2022-10-11.jks -storepass changeit -noprompt -trustcacerts -alias maroph_mozilla_ca -file cert.pem -v
Certificate was added to keystore
[Storing cacert-2022-10-11.jks]
$ rm -f cert.pem private.pem
Substitute the JRE cacerts file
The Java cacerts file is located in the directory lib/security/cacerts of the JRE. In a Java 8 JDK the location is jre/lib/security/cacerts.
Optional: export the JKS keystore into a PKCS12 keystore
$ rm -f cacert-2022-10-11.p12
$ keytool -importkeystore \
-srckeystore cacert-2022-10-11.jks \
-srcstoretype jks \
-srcstorepass changeit \
-destkeystore cacert-2022-10-11.p12 \
-deststoretype pkcs12 \
-deststorepass changeit \
-noprompt -v
$ chmod 600 cacert-2022-10-11.p12
