Skip to content Skip to mainnavigation Skip to footer
HomeUniversityFacultiesFaculty of Electrical EngineeringUse of IT

Install CA certificates for Java

Normally there is no need for students to install CA certificates for use with Java.

Download

If WiFi is already set up, you only need the final 2 of the 5 following certificates, otherwise you need all of them. Save the certificates in a temporary directory (i.e. C:\Temp), use the names as specified here:

telekom.crt
https://pki.pca.dfn.de/fh-schmalkalden-ca/pub/cacert/rootcert.crt

dfn.crt
https://pki.pca.dfn.de/fh-schmalkalden-ca/pub/cacert/intermediatecacert.crt

hsm-ca.crt
https://pki.pca.dfn.de/fh-schmalkalden-ca/pub/cacert/cacert.crt

iukca3.crt
Download aus CMS

zefica.crt
Download aus CMS

Use the right mouse key to clock on a link, from the context menu chose “Save as”.

Find key store information

The CA certificates used by Java are saved in a "cacerts" file in the Java installation directory.

If you installed a JRE to /usr/local/jre1.7.0_51, the Java binary file is /usr/local/jre1.7.0_51/bin/java and the keystore file is /usr/local/jre1.7.0_51/lib/security/cacerts.

View keystore content

Run

 

keytool -list -keystore /usr/local/jre1.7.0_51/lib/security/cacerts

 

to list the CA certificates in the keystore.

Comparison by fingerprint

Run

 

openssl x509 -noout -fingerprint -in /.../telekom.pem
openssl x509 -noout -fingerprint -in /.../dfn.pem
openssl x509 -noout -fingerprint -in /.../hsm-ca.pem
openssl x509 -noout -fingerprint -in /.../iukca3.pem
openssl x509 -noout -fingerprint -in /.../zefica.pem

 

to view certificate fingerprints. Compare the fingerprints against the fingerprints from the previous step to find the missing certificates we have to import.

Import missing certificates

For those certificates not yet present in the keystore run

 

keytool -import -trustcacerts -alias telekom -file /.../telekom.pem -keystore /.../lib/security/cacerts
keytool -import -trustcacerts -alias dfnpkica -file /.../dfn.pem -keystore /.../lib/security/cacerts
keytool -import -trustcacerts -alias fhsca -file /.../hsm-ca.pem -keystore /.../lib/security/cacerts
keytool -import -trustcacerts -alias iukca3 -file /.../iukca3.pem -keystore /.../lib/security/cacerts
keytool -import -trustcacerts -alias zefica -file /.../zefica.pem -keystore /.../lib/security/cacerts

 

to import the certificates.

The default password to access the Java keystore is “changeit”. On Windows you can change it as suggested.
On Linux you should stick to the default password but set restrictive permissions on the keystore file. Nobody but root should have write permission.