Add Server Certificate to Java Trust Store

Owned by Tomi Pelttari
2020-06-17
2 min read

The SSO Management API, Password Reset application, and Accounting Service reporting endpoints connect to the SSO OAuth 2.0 endpoints, so the server certificate of those endpoints must be trusted by the Java Runtime Environment used by SSO. By default, no publicly issued CAs are trusted and must be trusted explicitly.

Also the Accounting Service server certificate must be trusted by the Java Runtime Environment due Accounting Service internal implementation. The self-signed certificate generated during the installation process takes this into account since v. 8.4.

The certificates can be imported using the following syntaxes. The whole certificate chain must be imported using the keytool tool, which can be found in the bin directory of the java installation under JRE_HOME.

Import the server certificate.

For Linux
./keytool -importcert -alias "SSO Server Certificate" -file ../lib/security/login.example.com.crt -keystore ../lib/security/cacerts
For Windows
cd %JRE_HOME%/bin
keytool -importcert -alias "SSO Server Certificate" -file C:\temp\login.example.com.crt -keystore ..\lib\security\cacerts

Import the intermediate certificate. Use the intermediate certificate of the issuer of your externally facing TLS/SSL certificate. In this example, the login.example.com certificate was issued by Comodo.

For Linux
./keytool -importcert -alias "COMODO RSA Domain Validation Secure Server CA" -file ../lib/security/COMODORSADomainValidationSecureServerCA.crt -keystore ../lib/security/cacerts
For Windows
keytool -importcert -alias "COMODO RSA Domain Validation Secure Server CA" -file C:\temp\COMODORSADomainValidationSecureServerCA.crt -keystore ..\lib\security\cacerts

Import the CA certificate of the issuer of your externally facing TLS/SSL certificate.

For Linux
./keytool -importcert -alias "COMODO RSA Certification Authority" -file ../lib/security/COMODORSACertificationAuthority.crt -keystore ../lib/security/cacerts
For Windows
keytool -importcert -alias "COMODO RSA Certification Authority" -file C:\temp\COMODORSACertificationAuthority.crt -keystore ..\lib\security\cacerts

Adding the self signed certificate from the default keystore.pfx

During SSO installation a default keystore is created in $UBILOGIN_HOME/custom/tomcat/keystore.pfx with a self signed certificate, when no existing keystore in the location is found. The self signed certificate can be added to the default cacerts trust store in $JRE_HOME/lib/security/cacerts with the command below. If you don't have $UBILOGIN_HOME set replace it with /usr/local/ubisecure/ubilogin-sso/ubilogin in the command:


For Linux
keytool -exportcert -keystore /usr/local/ubisecure/ubilogin-sso/ubilogin/custom/tomcat/keystore.pfx -alias tomcat -storepass changeit | keytool -importcert -keystore $JRE_HOME/lib/security/cacerts -storepass changeit -alias ubisecure-sso-servercert -noprompt


For Windows
keytool -exportcert -keystore "C:\Program
Files\Ubisecure\ubilogin-sso\ubilogin\custom\tomcat\keystore.pfx" -alias tomcat -storepass changeit | keytool -importcert -keystore "%JRE_HOME%\lib\security\cacerts" -storepass changeit -alias ubisecure-sso-servercert -noprompt




Ubisecure Privacy Policy & Cookie Statement