Install CA certificates for Java
Normally there is no need for students to install CA certificates for use with Java.
Download
If WiFi is already set up, you only need the final 2 of the 5 following certificates, otherwise you need all of them. Save the certificates in a temporary directory (i.e. C:\Temp), use the names as specified here:
telekom.crt
https://pki.pca.dfn.de/fh-schmalkalden-ca/pub/cacert/rootcert.crt
dfn.crt
https://pki.pca.dfn.de/fh-schmalkalden-ca/pub/cacert/intermediatecacert.crt
hsm-ca.crt
https://pki.pca.dfn.de/fh-schmalkalden-ca/pub/cacert/cacert.crt
iukca3.crt
Download aus CMS
zefica.crt
Download aus CMS
Use the right mouse key to clock on a link, from the context menu chose “Save as”.
Find key store information
The CA certificates used by Java are saved in a "cacerts" file in the Java installation directory.
If you installed a JRE to /usr/local/jre1.7.0_51, the Java binary file is /usr/local/jre1.7.0_51/bin/java and the keystore file is /usr/local/jre1.7.0_51/lib/security/cacerts.
View keystore content
Run
keytool -list -keystore /usr/local/jre1.7.0_51/lib/security/cacerts
to list the CA certificates in the keystore.
Comparison by fingerprint
Run
openssl x509 -noout -fingerprint -in /.../telekom.pem openssl x509 -noout -fingerprint -in /.../dfn.pem openssl x509 -noout -fingerprint -in /.../hsm-ca.pem openssl x509 -noout -fingerprint -in /.../iukca3.pem openssl x509 -noout -fingerprint -in /.../zefica.pem
to view certificate fingerprints. Compare the fingerprints against the fingerprints from the previous step to find the missing certificates we have to import.
Import missing certificates
For those certificates not yet present in the keystore run
keytool -import -trustcacerts -alias telekom -file /.../telekom.pem -keystore /.../lib/security/cacerts keytool -import -trustcacerts -alias dfnpkica -file /.../dfn.pem -keystore /.../lib/security/cacerts keytool -import -trustcacerts -alias fhsca -file /.../hsm-ca.pem -keystore /.../lib/security/cacerts keytool -import -trustcacerts -alias iukca3 -file /.../iukca3.pem -keystore /.../lib/security/cacerts keytool -import -trustcacerts -alias zefica -file /.../zefica.pem -keystore /.../lib/security/cacerts
to import the certificates.
The default password to access the Java keystore is “changeit”. On Windows you can change it as suggested.
On Linux you should stick to the default password but set restrictive permissions on the keystore file. Nobody but root should have write permission.