...
Mac OSX and *NIX (Linux, etc.)
1. Open Terminal.app
IMPORTANT, if you are importing certificates for a JRE that was bundled with your installed software, ie: NoMagic (Cameo, MagicDraw (MD)), Rhapsody, etc. please ensure you specify the keystore path for that bundled instance of JRE VS the default as shown above (for MD, you can determine the installed path of JRE by checking Help, About and clicking on the Environments tab; for Rhapsody, open the rhapsody.ini in your installation folder and examine the JavaLocation= var under the [JVM] section).
2. Using Java keytool, download the certificate (chain) presented by the server you wish to connect to; where host.domain.tld = the FQDN of the server you wish to connect to, ie: repo1.company.com, and port = the port on which SSL/TLS is enabled:
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
sudo keytool -import -file ~/host.domain.tld_part-n.pem -alias <host.domain.tld|domain.tld_CA|tld_CA> -keystore $JAVA_HOME/jre/lib/security/cacerts |
Note, you may wish to first backup your $JAVA_HOME/jre/lib/security/cacerts file
Note2, if you skipped here from step 4, replace the _part-n suffix with _full-chain in the -file parameter of the command.
Note3, if enabled, you may be prompted for your sudo password, this is usually your admin password of the machine. if you are prompted for the Java Keystore password, the default is changeit .
...
Windows 7,10, 2012(-R2), etc.
1. Open an Administrator Command Prompt (CMD.EXE) in your Java home directory's bin folder, ex: "C:\Program Files\Java\jre<version>\bin".
IMPORTANT, if you are importing certificates for a JRE that was bundled with your installed software, ie: NoMagic (Cameo, MagicDraw (MD)), Rhapsody, etc. please ensure you specify the keystore path for that bundled instance of JRE VS the default as shown above (for MD, you can determine the installed path of JRE by checking Help, About and clicking on the Environments tab; for Rhapsody, open the rhapsody.ini in your installation folder and examine the JavaLocation= var under the [JVM] section).
Windows 7,10, 2012(-R2), etc.
1. Open an Administrator Command Prompt (CMD.EXE) in your Java home directory's bin folder, ex: "C:\Program Files\Java\jre<version>\bin".
2. Using Java keytool, download the certificate (chain) presented by the server you wish to connect to; where host.domain.tld = the FQDN of the server you wish to connect to, ie: repo1.company.com, and port = the port on which SSL/TLS is enabled:
| Code Block | ||||
|---|---|---|---|---|
| ||||
keytool -printcert -rfc -sslserver host.domain.tld:port > "%UserProfile%\Downloads\host.domain.tld_full-chain.pem" |
Note Note1, if keytool isn't in your path, either cd to your %JAVA_HOME%/bin dir or prefix it to all subsequent references to this command.
If you don't have JAVA_HOME defined in your environment, you may get an error saying JAVA_HOME is not defined. To confirm, type set and if you do not see JAVA_HOME listed, define it via set JAVA_HOME=<path to JAVA home ex: "C:\Program Files\Java\jre1.8.0_151">. To have this persist across sessions, add it as a System or User Environment Variable.
3. Open the file in a text editor.
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
$allcerts = Get-Content "$env:UserProfile\Downloads\host.domain.tld_full-chain.pem" -Encoding UTF8 -Raw
$i = 0
[regex]::Matches($allcerts, '(-{5}BEGIN CERTIFICATE-{5}[\s\S]*?-{5}END CERTIFICATE-{5})') | ForEach-Object {
$i++
$_.value | Out-file "$env:UserProfile\Downloads\host.domain.tld_part-$i.pem" -encoding ASCII
}
|
5. Use Java keytool to inspect each cert you split; where host.domain.tld = the FQDN of the server you connected to and n = a...z. The certificates should be ordered from most specific (ie: the server cert) to the issuing root CA's (self-signed) certificate:
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
keytool -import -file "%UserProfile%\Downloads\host.domain.tld_part-n.pem" -alias <host.domain.tld|domain.tld_CA|tld_CA> -keystore %JAVA_HOME%\lib\security\cacerts |
Note1, you may wish to first backup your %JAVA_HOME%\lib\security\cacerts file.
Note2, if you don't have JAVA_HOME defined in your environment, you may get an error saying JAVA_HOME is not defined. To confirm, type set and if you do not see JAVA_HOME listed, define it via set JAVA_HOME=<path to JAVA home ex: "C:\Program Files\Java\jre1.8.0_151"> IMPORTANT, if you are importing certificates for a JRE that was bundled with your installed software, ie: NoMagic (Cameo, MagicDraw (MD)), Rhapsody, etc. please ensure you specify the keystore path for that bundled instance of JRE VS the default as shown above (for MD, you can determine the installed path of JRE by checking Help, About and clicking on the Environments tab; for Rhapsody, open the rhapsody.ini in your installation folder and examine the JavaLocation= var under the [JVM] section)skipped here from step 4, replace the _part-n suffix with _full-chain in the -file parameter of the command.
Note3, if you are prompted for the Java Keystore password, the default is changeit .