Skip to end of metadata
Comment: Migrated to Confluence 4.0
Go to start of metadata

Root Certificate Authority

Codehaus uses a certificate provided by StartSSL which uses a CA that isn't included in the default JDK trusted CA list.

Installing the StartSSL CA into the Java JDK

Download the StartSSL CA and StartSSL Intermediate CA to your local filesystem.

Install the certificate into the JDK Trusted CA Certs (The default password is "changeit" or "changeme" (depending on the JDK installed))

Windows and Linux

Installing the StartSSL CA into the Java JDK as non-root

If do not have permission to modify your JDK installation you can add the certificate to your own keystore. The keytool that comes with the JDK uses ~/.keystore by default. When running a JVM you need to tell the JVM about the keystore. It appears as if it will use this keystore in addition to the one in the JDK so there is no need to add all the certificates from the JVM to the user copy.

NOTE: If you want to debug the security related stuff add the -Djava.security.debug=all option

Bulk updater

Since we have "a few" JDKs at Codehaus on various servers, we've written a bulk updater - deploy-ca - which will scan your various Java install areas and try and deploy the CA into those cacert files. You will need to download startssl-CA.pem and startssl-Intermediate.pem into the same directory.

It seems to work, but please exercise due caution.

Deploy CA certificate to default locations on Linux and OSX
Deploy CA certificate to anything under a specified path

You may need to change the get_pass routine to return "changeme" rather than "changeit" as some systems seem to have a different perspective on the default store password.

This has not been tested on Windows, but has been successfully used on Linux (RHEL5) and OSX 10.6

Labels
  • None

9 Comments

Hide/Show Comments

  1. Jun 28, 2010

    Paul Gier

    I couldn't get this working using "startssl.pem", it gave me the error:

    Path does not chain with any of the trust anchors

    I had to go to the site (https://dav.codehaus.org/snapshots.repository/mojo/), then export the certificate, then import it into the keystore using instructions similar to those above. I'm not sure why the root certificate didn't work for me.

  2. Jun 29, 2010

    Alex Ruiz

    On Windows 7 and jdk1.6.0_20 (32-bit) I needed to use the path $JAVA_HOME/jre/lib/security/cacerts instead of $JAVA_HOME/jre/lib/security/jssecacerts to make it work.

  3. Jun 29, 2010

    Ben Walding

  4. Jun 30, 2010

    Kalle Korhonen

    The startssl.pem root certificate that's linked in is old. Like Paul says, access any codehaus page via https, export the root certificate and import that one into your JRE keystore.

  5. Sep 22, 2010

    Jesse Glick

    I succeeded in importing startssl-CA.pem but when I try to import startssl-Intermediate.pem I get:

    keytool error: java.lang.Exception: Certificate not imported, alias <StartSSL-CA> already exists

    Do I still need to do anything?

  6. Sep 22, 2010

    Ben Walding

    Jesse,

    Apps like firefox will download and install the intermediate cert automatically, but I think Java requires it to be installed manually.

    So just import the intermediate cert with a different alias - e.g. StartIntermediate

  7. Jul 23, 2011

    Jesse Glick

    With JDK 6u24 on Ubuntu, I seem to be doing OK with this simplified script:

  8. Apr 12, 2011

    Benson Margulies

    On OSX, java build 1.6.0_24-b07-334-10M3326, it claims to already have the main cert under a different alias, and cheerfully accepts the intermediate one.

  9. Jul 23, 2012

    Jesse Glick

    http://stackoverflow.com/questions/7219989/java-and-ssl-certificates has some tips on this topic.