How to view and edit cacerts file?

Question

How to view and edit cacerts file?

Using RAD 8.5 with WAS 8.5, I get an exception on my console:

The keystore located at "C:\IBM\Websphere85\jdk\jre\lib\security\cacerts" failed to load due to the following error: DerInputStream.getLength(): lengthTag=109, too big..

After searching for an error, I received a link which offers to edit the file and remove blank lines / extra characters.

How to edit a file? I am in a Windows environment and the file seems to be base64 encoded.

+8

java websphere-8 keystore ibm-rad

Prince Nov 26 '13 at 17:53

source share

2 answers

As for the original question, you can use the keytool command to view and edit the keystore, such as cacerts .

To view all keys in a keystore, use keytool -list :

 $ keytool -list -keystore ${keystore.file}

where ${keystore.file} is the path to the cacerts , in your case C:\IBM\Websphere85\jdk\jre\lib\security\cacerts .

To delete a specific key, use keytool -delete :

 $ keytool -delete -alias ${cert.alias} -keystore ${keystore.file}

where ${cert.alias} is the existing key alias from the above -list . *

To add a new key that has already been generated elsewhere, use keytool -importcert :

 $ keytool -importcert -alias ${cert.alias} -keystore ${keystore.file} -file ${cer.file}

where ${cer.file} is the path to an existing certificate or certificate chain.

Please note that for each of these commands you will be asked to enter a keystore password, which you can specify with the -storepass option -storepass . For example:

 $ keytool -delete -noprompt -alias ${cert.alias} -keystore ${keystore.file} -storepass ${keystore.pass}

* ${cert.alias} is the leftmost value in the lines output from keytool -list .

For example, if this is the exit from keytool -list :

 $ keytool -list -keystore ./cacerts Enter keystore password: Keystore type: jks Keystore provider: SUN Your keystore contains 2 entries verisignclass1ca, Jun 29, 1998, trustedCertEntry, Certificate fingerprint (MD5): 51:86:E8:1F:BC:B1:C3:71:B5:18:10:DB:5F:DC:F6:20 verisignserverca, Jun 29, 1998, trustedCertEntry, Certificate fingerprint (MD5): 74:7B:82:03:43:F0:00:9E:6B:B3:EC:47:BF:85:A5:93

then verisignclass1ca and verisignserverca are aliases that you can specify for deletion.

0

bmessler Oct 18 '19 at 16:37

source share

Prince · Accepted Answer · 2013-12-09T23:42:00+0000

Here you can solve this problem without having to view or edit the file.

The default key type is JKS, and the WSKeyStore class assumes that it is a PKCS12 file that throws the above error. Therefore, we need to convert the cacerts file to the .p12 format.

Using the keytool utility from the command line, I did:

 C:\IBM\WebSphere85\AppServer\java\bin>keytool -importkeystore ^ -srckeystore C:\IBM\WebSphere85\AppServer\java\jre\lib\security\cacerts ^ -destkeystore C:\IBM\WebSphere85\AppServer\java\jre\lib\security\cacerts.p12 ^ -srcstoretype JKS -deststoretype PKCS12 -srcstorepass changeit -deststorepass changeit -noprompt

which gave me the cacerts.p12 file, which can be easily read by the class above.

References :

IBM error
stack overflow

How to view and edit cacerts file?

More articles: