How do I update my Java cacerts keystore?
- Go to the Symantec Primary PCA Root Certificates download page at https://www.symantec.com/page.jsp?id=roots.
- Locate VeriSign Class 3 Primary CA under Root 3.
- Right-click Download Root Now and save the linked VeriSign-Class 3-Public-Primary-Certification-Authority-G5.pem file. For this document, we'll be storing it in C:\temp\.
- Make a copy of the cacerts file located in the Java Runtime Environment (JRE) lib\security folder as a backup. For example, C:\Program Files\Java\jre7\lib\security.
- Use the keytool.exe command line tool found in the JRE bin folder to import the certificate into the cacerts file. For example, from the Windows command line issue this command:
"C:\Program Files\Java\jre7\bin\keytool.exe" -import -keystore "C:\Program Files\Java\jre7\lib\security\cacerts" -storepass changeit -alias verisignclass3ca -file "C:\temp\VeriSign-Class 3-Public-Primary-Certification-Authority-G5.pem"
- If the certificate alias already exists, you'll get an error similar to the following:
keytool error: java.lang.Exception: Certificate not imported, alias <verisignclass3ca> already exists.
- When prompted to trust the certificate, type Yes at the prompt. If no errors occurred, update the cacerts file.
- To verify that the certificate was successfully imported, use the following command:
"C:\Program Files\Java\jre7\bin\keytool.exe" -keystore "C:\Program Files\Java\jre7\lib\security\cacerts" -list -v -alias verisignclass3ca -storepass changeit
Note: Apache Tomcat users should check the JRE_HOME or JAVA_HOME environment variables, depending on which you're using, to determine the Java Runtime Environment being used.