PKI Tutorials - Herong's Tutorial Examples - v2.32, by Herong Yang
Default Trusted KeyStore File - cacerts
This section provides a tutorial example on how to view the content of the default trusted KeyStore file, 'cacerts', with the KeyStore tool, 'keytool'. The password to open 'cacerts' is 'changeit'.
To do more tests, we need to learn more about the KeyStore file format and the tool to manage KeyStore files.
According Java documentation, a KeyStore file is a binary that can be used to store multiple private keys and certificates. KeyStore files are usually password protected.
The default tool is the command line tool, "keytool", provided in the JDK package. It can be used manage KeyStore files.
Now let's try to create a copy of the default trusted KeyStore file, "cacerts", and view its content. By the way, the password for "cacerts" is "changeit".
herong> copy \local\jdk\jre\lib\security\cacerts cacerts_original 1 file(s) copied. herong> keytool -list -keystore cacerts_original \ -storepass changeit Keystore type: JKS Keystore provider: SUN Your keystore contains 104 entries actalisauthenticationrootca [jdk], Apr 13, 2016, trustedCertEntry, addtrustclass1ca [jdk], Apr 13, 2016, trustedCertEntry, addtrustexternalca [jdk], Apr 13, 2016, trustedCertEntry, addtrustqualifiedca [jdk], Apr 13, 2016, trustedCertEntry, affirmtrustcommercialca [jdk], Apr 13, 2016, trustedCertEntry, affirmtrustnetworkingca [jdk], Apr 13, 2016, trustedCertEntry, affirmtrustpremiumca [jdk], Apr 13, 2016, trustedCertEntry, affirmtrustpremiumeccca [jdk], Apr 13, 2016, trustedCertEntry, aolrootca1 [jdk], Apr 13, 2016, trustedCertEntry, aolrootca2 [jdk], Apr 13, 2016, trustedCertEntry, baltimorecodesigningca [jdk], Apr 13, 2016, trustedCertEntry, baltimorecybertrustca [jdk], Apr 13, 2016, trustedCertEntry, buypassclass2ca [jdk], Apr 13, 2016, trustedCertEntry, buypassclass3ca [jdk], Apr 13, 2016, trustedCertEntry, camerfirmachambersca [jdk], Apr 13, 2016, trustedCertEntry, camerfirmachamberscommerceca [jdk], Apr 13, 2016, trustedCertEntry, camerfirmachambersignca [jdk], Apr 13, 2016, trustedCertEntry, certplusclass2primaryca [jdk], Apr 13, 2016, trustedCertEntry, certplusclass3pprimaryca [jdk], Apr 13, 2016, trustedCertEntry, certumca [jdk], Apr 13, 2016, trustedCertEntry, certumtrustednetworkca [jdk], Apr 13, 2016, trustedCertEntry, chunghwaepkirootca [jdk], Apr 13, 2016, trustedCertEntry, comodoaaaca [jdk], Apr 13, 2016, trustedCertEntry, comodoeccca [jdk], Apr 13, 2016, trustedCertEntry, comodorsaca [jdk], Apr 13, 2016, trustedCertEntry, deutschetelekomrootca2 [jdk], Apr 13, 2016, trustedCertEntry, digicertassuredidg2 [jdk], Apr 13, 2016, trustedCertEntry, digicertassuredidg3 [jdk], Apr 13, 2016, trustedCertEntry, digicertassuredidrootca [jdk], Apr 13, 2016, trustedCertEntry, digicertglobalrootca [jdk], Apr 13, 2016, trustedCertEntry, digicertglobalrootg2 [jdk], Apr 13, 2016, trustedCertEntry, digicertglobalrootg3 [jdk], Apr 13, 2016, trustedCertEntry, digicerthighassuranceevrootca [jdk], Apr 13, 2016, trustedCertEntry, digicerttrustedrootg4 [jdk], Apr 13, 2016, trustedCertEntry, dtrustclass3ca2 [jdk], May 10, 2016, trustedCertEntry, dtrustclass3ca2ev [jdk], May 10, 2016, trustedCertEntry, entrust2048ca [jdk], Apr 13, 2016, trustedCertEntry, entrustevca [jdk], Apr 13, 2016, trustedCertEntry, entrustrootcaec1 [jdk], Apr 13, 2016, trustedCertEntry, entrustrootcag2 [jdk], Apr 13, 2016, trustedCertEntry, equifaxsecureca [jdk], Apr 13, 2016, trustedCertEntry, equifaxsecureebusinessca1 [jdk], Apr 13, 2016, trustedCertEntry, equifaxsecureglobalebusinessca1 [jdk], Apr 13, 2016, trustedCertEntry, geotrustglobalca [jdk], Apr 13, 2016, trustedCertEntry, geotrustprimaryca [jdk], Apr 13, 2016, trustedCertEntry, geotrustprimarycag2 [jdk], Apr 13, 2016, trustedCertEntry, geotrustprimarycag3 [jdk], Apr 13, 2016, trustedCertEntry, geotrustuniversalca [jdk], Apr 13, 2016, trustedCertEntry, globalsignca [jdk], Apr 13, 2016, trustedCertEntry, globalsigneccrootcar4 [jdk], Apr 13, 2016, trustedCertEntry, globalsigneccrootcar5 [jdk], Apr 13, 2016, trustedCertEntry, globalsignr2ca [jdk], Apr 13, 2016, trustedCertEntry, globalsignr3ca [jdk], Apr 13, 2016, trustedCertEntry, godaddyclass2ca [jdk], Apr 13, 2016, trustedCertEntry, godaddyrootg2ca [jdk], Apr 13, 2016, trustedCertEntry, gtecybertrustglobalca [jdk], Apr 13, 2016, trustedCertEntry, identrustcommercial [jdk], May 10, 2016, trustedCertEntry, identrustdstx3 [jdk], May 10, 2016, trustedCertEntry, identrustpublicca [jdk], May 10, 2016, trustedCertEntry, keynectisrootca [jdk], Apr 13, 2016, trustedCertEntry, letsencryptisrgx1 [jdk], May 17, 2017, trustedCertEntry, luxtrustglobalrootca [jdk], Apr 13, 2016, trustedCertEntry, quovadisrootca [jdk], Apr 13, 2016, trustedCertEntry, quovadisrootca1g3 [jdk], Apr 13, 2016, trustedCertEntry, quovadisrootca2 [jdk], Apr 13, 2016, trustedCertEntry, quovadisrootca2g3 [jdk], Apr 13, 2016, trustedCertEntry, quovadisrootca3 [jdk], Apr 13, 2016, trustedCertEntry, quovadisrootca3g3 [jdk], Apr 13, 2016, trustedCertEntry, secomevrootca1 [jdk], Apr 13, 2016, trustedCertEntry, secomscrootca1 [jdk], Apr 13, 2016, trustedCertEntry, secomscrootca2 [jdk], Apr 13, 2016, trustedCertEntry, securetrustca [jdk], Apr 13, 2016, trustedCertEntry, soneraclass2ca [jdk], Apr 13, 2016, trustedCertEntry, starfieldclass2ca [jdk], Apr 13, 2016, trustedCertEntry, starfieldrootg2ca [jdk], Apr 13, 2016, trustedCertEntry, starfieldservicesrootg2ca [jdk], Apr 13, 2016, trustedCertEntry, swisscomrootca2 [jdk], Apr 13, 2016, trustedCertEntry, swisssigngoldg2ca [jdk], Apr 13, 2016, trustedCertEntry, swisssignplatinumg2ca [jdk], Apr 13, 2016, trustedCertEntry, swisssignsilverg2ca [jdk], Apr 13, 2016, trustedCertEntry, thawtepremiumserverca [jdk], Apr 13, 2016, trustedCertEntry, thawteprimaryrootca [jdk], Apr 13, 2016, trustedCertEntry, thawteprimaryrootcag2 [jdk], Apr 13, 2016, trustedCertEntry, thawteprimaryrootcag3 [jdk], Apr 13, 2016, trustedCertEntry, ttelesecglobalrootclass2ca [jdk], Apr 13, 2016, trustedCertEntry, ttelesecglobalrootclass3ca [jdk], Apr 13, 2016, trustedCertEntry, usertrusteccca [jdk], Apr 13, 2016, trustedCertEntry, usertrustrsaca [jdk], Apr 13, 2016, trustedCertEntry, utnuserfirstclientauthemailca [jdk], Apr 13, 2016, trustedCertEntry, utnuserfirsthardwareca [jdk], Apr 13, 2016, trustedCertEntry, utnuserfirstobjectca [jdk], Apr 13, 2016, trustedCertEntry, verisignclass1ca [jdk], Apr 13, 2016, trustedCertEntry, verisignclass1g2ca [jdk], Apr 13, 2016, trustedCertEntry, verisignclass1g3ca [jdk], Apr 13, 2016, trustedCertEntry, verisignclass2g2ca [jdk], Apr 13, 2016, trustedCertEntry, verisignclass2g3ca [jdk], Apr 13, 2016, trustedCertEntry, verisignclass3ca [jdk], Apr 13, 2016, trustedCertEntry, verisignclass3g2ca [jdk], Apr 13, 2016, trustedCertEntry, verisignclass3g3ca [jdk], Apr 13, 2016, trustedCertEntry, verisignclass3g4ca [jdk], Apr 13, 2016, trustedCertEntry, verisignclass3g5ca [jdk], Apr 13, 2016, trustedCertEntry, verisigntsaca [jdk], Apr 13, 2016, trustedCertEntry, verisignuniversalrootca [jdk], Apr 13, 2016, trustedCertEntry, xrampglobalca [jdk], Apr 13, 2016, trustedCertEntry,
Conclusion, JDK provides a default trusted KeyStore file, cacerts, with many root CA certificates included. In a KeyStore file, each certificate is assigned with an alias name. The "keystool -list" commands returns a list of alias names as shown above.
Table of Contents
Introduction of PKI (Public Key Infrastructure)
Introduction of HTTPS (Hypertext Transfer Protocol Secure)
Using HTTPS with Google Chrome
Using HTTPS with Mozilla Firefox
HTTPS with IE (Internet Explorer)
Android and Server Certificate
Windows Certificate Stores and Console
RDP (Remote Desktop Protocol) and Server Certificate
macOS Certificate Stores and Keychain Access
Perl Scripts Communicating with HTTPS Servers
PHP Scripts Communicating with HTTPS Servers
►Java Programs Communicating with HTTPS Servers
Java Secure Socket Extension (JSSE)
Using openStream() Method in java.net.URL Class
javax.net.ssl.trustStore System Property
►Default Trusted KeyStore File - cacerts
PKIX Path Building Failed - No CA Certificate
Using openConnection() Method in java.net.URL Class
.NET Programs Communicating with HTTPS Servers
CAcert.org - Root CA Offering Free Certificates
PKI CA Administration - Issuing Certificates
Comodo Free Personal Certificate
Digital Signature - Microsoft Word
Digital Signature - OpenOffice.org 3