Skip to end of metadata
Go to start of metadata

Root Certificate Authority

Codehaus uses a certificate provided by StartSSL which uses a CA that isn't included in the default JDK trusted CA list.

Installing the StartSSL CA into the Java JDK

Download the StartSSL CA and StartSSL Intermediate CA to your local filesystem.

Install the certificate into the JDK Trusted CA Certs (The default password is "changeit" or "changeme" (depending on the JDK installed))

Windows and Linux

Installing the StartSSL CA into the Java JDK as non-root

If do not have permission to modify your JDK installation you can add the certificate to your own keystore. The keytool that comes with the JDK uses ~/.keystore by default. When running a JVM you need to tell the JVM about the keystore. It appears as if it will use this keystore in addition to the one in the JDK so there is no need to add all the certificates from the JVM to the user copy.

NOTE: If you want to debug the security related stuff add the option

Bulk updater

Since we have "a few" JDKs at Codehaus on various servers, we've written a bulk updater - deploy-ca - which will scan your various Java install areas and try and deploy the CA into those cacert files. You will need to download startssl-CA.pem and startssl-Intermediate.pem into the same directory.

It seems to work, but please exercise due caution.

Deploy CA certificate to default locations on Linux and OSX
Deploy CA certificate to anything under a specified path

You may need to change the get_pass routine to return "changeme" rather than "changeit" as some systems seem to have a different perspective on the default store password.


This has not been tested on Windows, but has been successfully used on Linux (RHEL5) and OSX 10.6

  • No labels


  1. I couldn't get this working using "startssl.pem", it gave me the error:

    Path does not chain with any of the trust anchors

    I had to go to the site (, then export the certificate, then import it into the keystore using instructions similar to those above. I'm not sure why the root certificate didn't work for me.

  2. On Windows 7 and jdk1.6.0_20 (32-bit) I needed to use the path $JAVA_HOME/jre/lib/security/cacerts instead of $JAVA_HOME/jre/lib/security/jssecacerts to make it work.

  3. The startssl.pem root certificate that's linked in is old. Like Paul says, access any codehaus page via https, export the root certificate and import that one into your JRE keystore.

  4. I succeeded in importing startssl-CA.pem but when I try to import startssl-Intermediate.pem I get:

    keytool error: java.lang.Exception: Certificate not imported, alias <StartSSL-CA> already exists

    Do I still need to do anything?

  5. Jesse,

    Apps like firefox will download and install the intermediate cert automatically, but I think Java requires it to be installed manually.

    So just import the intermediate cert with a different alias - e.g. StartIntermediate

  6. With JDK 6u24 on Ubuntu, I seem to be doing OK with this simplified script:

  7. On OSX, java build 1.6.0_24-b07-334-10M3326, it claims to already have the main cert under a different alias, and cheerfully accepts the intermediate one.

  8. Recently there have been problems with the mentioned PEM files for Codehaus Snapshots (Nexus), I exported them from Firefox directly from and reimported them into my keystore, see HAUS-2329.

  9. Since Apple stopped building Java for OS X keystore is now: