Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

Root Certificate Authority

Codehaus uses a certificate provided by StartSSL which uses a CA that isn't included in the default JDK trusted CA list.

Installing the StartSSL CA into the Java JDK

Download the StartSSL CA and StartSSL Intermediate CA to your local filesystem.

Install the certificate into the JDK Trusted CA Certs (The default password is "changeit" or "changeme" (depending on the JDK installed))

Code Block
titleWindows and Linux
#Windows / Linux
#Windows / Linux - alternative
$JAVA_HOME/bin/keytool \
    -import -alias StartSSL-CA \
    -file startssl-CA.pem -keystore $KEYSTORE
$JAVA_HOME/bin/keytool \
    -import -alias StartSSL-Intermediate \
    -file startssl-Intermediate.pem -keystore $KEYSTORE

Installing the StartSSL CA into the Java JDK as non-root

If do not have permission to modify your JDK installation you can add the certificate to your own keystore. The keytool that comes with the JDK uses ~/.keystore by default. When running a JVM you need to tell the JVM about the keystore. It appears as if it will use this keystore in addition to the one in the JDK so there is no need to add all the certificates from the JVM to the user copy.

Code Block
export MAVEN_OPTS="$HOME/.keystore \ \$HOME/.keystore \" 
mvn -Dusername=foo deploy

NOTE: If you want to debug the security related stuff add the option

Bulk updater

Since we have "a few" JDKs at Codehaus on various servers, we've written a bulk updater - deploy-ca - which will scan your various Java install areas and try and deploy the CA into those cacert files. You will need to download startssl-CA.pem and startssl-Intermediate.pem into the same directory.

It seems to work, but please exercise due caution.

Code Block
titleDeploy CA certificate to default locations on Linux and OSX
Code Block
titleDeploy CA certificate to anything under a specified path
./deploy-ca <path>

You may need to change the get_pass routine to return "changeme" rather than "changeit" as some systems seem to have a different perspective on the default store password.


This has not been tested on Windows, but has been successfully used on Linux (RHEL5) and OSX 10.6