Java Security cacerts file and Some Useful Keytool Commands

In this post I will explain about Java cacerts keystore file, cacerts is where Java stores public certificates of root CAs. Java uses cacerts to authenticate the servers. Keystore is where Java stores the private keys of the clients so that it can share it to the server when the server requests client authentication.

A certificates file named "cacerts" resides in the security properties directory, ${JAVA_HOME}/lib/security, where ${JAVA_HOME} is the runtime environment directory (the jre directory in the SDK or the top-level directory of the Java™ 2 Runtime Environment).

Note : The JAVA_HOME environment variable points to the directory where the Java runtime environment (JRE) or Java Development Kit (JDK) is installed on your computer.:
Suppose if you have installed JRE in C:\Program Files (x86)\Java\jre1.8.0_171 directory then your
JAVA_HOME = C:\Program Files (x86)\Java\jre1.8.0_171

Suppose if you have installed JRE in C:\Program Files (x86)\Java\jre1.8.0_171 directory then your
JAVA_HOME = C:\Program Files (x86)\Java\jdk1.8.0_171\jre

Suppose if you have installed JDK in C:\Program Files (x86)\Java\jdk1.8.0_171\jre directory then your
JAVA_HOME = C:\Program Files (x86)\Java\jdk1.8.0_171\jre; C:\Program Files (x86)\Java\jre1.8.0_171;

The Java Keytool is a command line tool which can generate public key / private key pairs and store them in a Java KeyStore. The Keytool executable is distributed with the Java SDK (or JRE), so if you have an SDK installed you will also have the Keytool executable.
The Keytool executable is called keytool. To execute it, open a command line (cmd, console, shell etc.). and change directory into the bin directory of your Java SDK installation. Type keytool followed by pressing the Enter key. You should see something similar to this:

C:\Program Files (x86)\Java\jdk1.8.0_171\bin>keytool
Key and Certificate Management Tool

Commands:

 -certreq            Generates a certificate request
 -changealias        Changes an entry's alias
 -delete             Deletes an entry
 -exportcert         Exports certificate
 -genkeypair         Generates a key pair
 -genseckey          Generates a secret key
 -gencert            Generates certificate from a certificate request
 -importcert         Imports a certificate or a certificate chain
 -importpass         Imports a password
 -importkeystore     Imports one or all entries from another keystore
 -keypasswd          Changes the key password of an entry
 -list               Lists entries in a keystore
 -printcert          Prints the content of a certificate
 -printcertreq       Prints the content of a certificate request
 -printcrl           Prints the content of a CRL file
 -storepasswd        Changes the store password of a keystore

Use "keytool -command_name -help" for usage of command_name

C:\Program Files (x86)\Java\jdk1.8.0_171\bin>

How to import a new certificate into cacerts keystore

In case you ever need to manually add a certificate to your ${JAVA_HOME}/jre/lib/security/cacerts file, it turns out the password for that file when using the Java keytool command is changeit.

To add a certificate to that file, you’ll want to use a command like this:

keytool \
    -import \
    -alias "foobar.com" \
    -keystore ${JAVA_HOME}/jre/lib/security/cacerts \
    -file foobar.com.crt

How to Change the Java Keystore Password

keytool \
 -keystore ${JAVA_HOME}/jre/lib/security/cacerts
 Enter keystore password:  changeit
 New keystore password:  new-password
 Re-enter new keystore password:  new-password