How to trust a certificate in Java on Mac OS X

Yesterday, Apple released an update to Java for OS X.  I had trusted a self-signed cert with my old java installation, and it stopped working with the update, so I had to figure out how to add it again.  It’s not very hard, but kind of tricky to figure out, so here you have it.

First, export the cert using a web browser or whatever.  I used firefox, because it is easy, and I couldn’t figure out how to do it in chrome.  You should end up with a simple PEM encoded file.  Then here’s how you import it:

$ cd /System/Library/Java/Support/CoreDeploy.bundle/Contents/Home/lib/security
$ sudo cp cacerts cacerts.orig
$ sudo keytool -importcert -file your_cert_file_here -keystore cacerts

you’ll be prompted to trust it, then you are done.

In recent versions of OS X (at least 10.9 and 10.10), you can use this command to find your Java home:

$ /usr/libexec/java_home

…then, the cacerts file is located under there, in jre/lib/security.

Also, as Evan T pointed out in the comments, the password is “changeit”. This is pretty much universal for all JVMs I’ve used (including Linux/Windows).

And one more thing. It’s a good idea to specify a -alias parameter when adding the certificate, otherwise it gets added under the alias “mykey”, then if you try to add another one, you get an error, since it’s trying to add another “mykey”.


One thought on “How to trust a certificate in Java on Mac OS X

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s