Skip to content Skip to mainnavigation Skip to footer

Install CA certificates for Java

Normally there is no need for students to install CA certificates for use with Java.


If WiFi is already set up, you only need the final 2 of the 5 following certificates, otherwise you need all of them. Save the certificates in a temporary directory (i.e. C:\Temp), use the names as specified here:




Download aus CMS

Download aus CMS

Use the right mouse key to clock on a link, from the context menu chose “Save as”.

Find key store information

The CA certificates used by Java are saved in a "cacerts" file in the Java installation directory.

If you installed a JRE to /usr/local/jre1.7.0_51, the Java binary file is /usr/local/jre1.7.0_51/bin/java and the keystore file is /usr/local/jre1.7.0_51/lib/security/cacerts.

View keystore content



keytool -list -keystore /usr/local/jre1.7.0_51/lib/security/cacerts


to list the CA certificates in the keystore.

Comparison by fingerprint



openssl x509 -noout -fingerprint -in /.../telekom.pem
openssl x509 -noout -fingerprint -in /.../dfn.pem
openssl x509 -noout -fingerprint -in /.../hsm-ca.pem
openssl x509 -noout -fingerprint -in /.../iukca3.pem
openssl x509 -noout -fingerprint -in /.../zefica.pem


to view certificate fingerprints. Compare the fingerprints against the fingerprints from the previous step to find the missing certificates we have to import.

Import missing certificates

For those certificates not yet present in the keystore run


keytool -import -trustcacerts -alias telekom -file /.../telekom.pem -keystore /.../lib/security/cacerts
keytool -import -trustcacerts -alias dfnpkica -file /.../dfn.pem -keystore /.../lib/security/cacerts
keytool -import -trustcacerts -alias fhsca -file /.../hsm-ca.pem -keystore /.../lib/security/cacerts
keytool -import -trustcacerts -alias iukca3 -file /.../iukca3.pem -keystore /.../lib/security/cacerts
keytool -import -trustcacerts -alias zefica -file /.../zefica.pem -keystore /.../lib/security/cacerts


to import the certificates.

The default password to access the Java keystore is “changeit”. On Windows you can change it as suggested.
On Linux you should stick to the default password but set restrictive permissions on the keystore file. Nobody but root should have write permission.