How do I update my Java cacerts keystore?

Here's how:

  1. Go to the Symantec Primary PCA Root Certificates download page at
  2. Locate VeriSign Class 3 Primary CA under Root 3.
  3. Right-click Download Root Now and save the linked VeriSign-Class 3-Public-Primary-Certification-Authority-G5.pem file. For this document, we'll be storing it in C:\temp\.
  4. Make a copy of the cacerts file located in the Java Runtime Environment (JRE) lib\security folder as a backup. For example, C:\Program Files\Java\jre7\lib\security.
  5. Use the keytool.exe command line tool found in the JRE bin folder to import the certificate into the cacerts file. For example, from the Windows command line issue this command:

    "C:\Program Files\Java\jre7\bin\keytool.exe" -import -keystore "C:\Program Files\Java\jre7\lib\security\cacerts" -storepass changeit -alias verisignclass3ca -file "C:\temp\VeriSign-Class 3-Public-Primary-Certification-Authority-G5.pem"

  6. If the certificate alias already exists, you'll get an error similar to the following:

    keytool error: java.lang.Exception: Certificate not imported, alias <verisignclass3ca> already exists.

  7. When prompted to trust the certificate, type Yes at the prompt. If no errors occurred, update the cacerts file.
  8. To verify that the certificate was successfully imported, use the following command:

    "C:\Program Files\Java\jre7\bin\keytool.exe" -keystore "C:\Program Files\Java\jre7\lib\security\cacerts" -list -v -alias verisignclass3ca -storepass changeit

Note: Apache Tomcat users should check the JRE_HOME or JAVA_HOME environment variables, depending on which you're using, to determine the Java Runtime Environment being used.