I am trying to add some public-key certificates to my CAcerts file. In the past I have done it by modifying the keystore directly as such:
keytool -keystore /etc/pki/java/cacerts -importcert -alias mail.mysite.com -noprompt -file myCert.pem
I have since learned a more proper way of doing this is to add my PEM files to /etc/pki/ca-trust/source/anchors/ and re-generate the certificate file with the update-ca-trust command.
I have done this successfully with the DoD PKI Certificates from Cyber.mil., first converting their P7B file to PEM.
openssl pkcs7 -print_certs -in certificates_pkcs7_v5_11_dod_pem.p7b -out certificates_pkcs7_v5_11_dod.pem
sudo cp certificates_pkcs7_v5_11_dod.pem /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust extract
I know I have added the certificates properly because the command keytool -list -cacerts shows the number of keystore entries has increased.
I would like to do this for some of our local websites. The following command gives me a PEM file that I can add using keytool (see above) but doesn't work when I add the file to /etc/pki/ca-trust/source/anchors/.
openssl s_client -connect mail.mysite.com:443 </dev/null | openssl x509 -outform pem > myCert.pem
My environment:
- Amazon Linux 2
- openssl.x86_64 1:1.0.2k-24.amzn2.0.6 @amzn2-core
- temurin-11-jdk.x86_64 11.0.18.0.0.10-2 @Adoptium (provides
keytool)
What is the best (proper?) way to add a site's certificate to my cacerts file?
