This is just a quick one but it’s something I forget every time and always forget where to look.
I deal with lots of Java software at work and on our development network we have our own self-signed SSL certificate which we use for self-hosted internal tools. This can cause issues when bits of Java software need to communicate with those self-signed SSL using tools. This post is here to explain my common use-case and a common pitfall I have when doing it.
Instead of using the system keystore (find out how to add certificates as trusted root with this post) Java has its own.
To manage the Java keystore you need to use keytool.
Typically you would do something like:
/path/to/jdk/bin/keytool -import -trustcacerts -file selfsigned.local.crt -keystore /path/to/jre/lib/security/cacerts -alias *.selfsigned.local
This will add your self-signed root certificate,
selfsigned.local.crt, to the JRE’s keystore,
/path/to/jre/lib/security/cacerts, so that any sub domain of selfsigned.local will be trusted with that certificate.
When you run this command you will be prompted for a password however. If I haven’t done this for a few months I usually end up wondering when I set the password and why I didn’t put it in keepass if there’s no entry…until I remember that it has a default password!
The default password doesn’t seem to be mentioned much, the defaults are: changeit, unless you’re using a Mac OSX version prior to Mountain Lion (when they finally switched to the Oracle Java install), then it’s changeme.
You can change the password to something else using the following command:
/path/to/jdk/bin/keytool -storepasswd -keystore /path/to/jre/lib/security/cacerts
You should get prompted for the current password and you can put in the new password. You can also add a
-new t3lln0b0dy flag where hopefully you put a more secure password than t3lln0b0dy. (though I believe it’s not all that useful to set your own password as you can change the password without knowing the existing password with some code)