Context Navigation

← Previous Version
View Latest Version
Next Version →

Version 1 (modified by Mad Martian, 5 years ago) ( diff )
Runbook for adding root CA to global JVM trust store

Maven Repository

We have our own Maven repository exclusively for mod development located at https://gauss.extollit.com/mvn (and nothing else). This may become necessary one day when Forge and/or Mojang shuts down their servers for these legacy artifacts.

SSL Woes

In order to use the repository in Gradle it may be necessary to install our certificate to your central trust store. Follow the steps below:

Step 1 - Obtain the root certificate

The root certificate is the same one serving-up this web-page, so use your browser to find out what it is and where to get it. We're not going to link it or attach it here directly because that is a security risk.

Step 2 - Convert the root certificate to DER format

This can be done with help of the openssl toolkit, where gd-bundle.pem is the original certificate filename in PEM format, and gd-bundle.der the filename to output, in DER format (which the Java keytool utility can understand). If you were able to obtain the root certificate in DER format, skip this step.

openssl x509 -in gd-bundle.pem -inform pem -out gd-bundle.der -outform der

Step 3 - Validate the root certificate content

Ensure that the Java keytool can parse the certificate and display its content:

keytool -v -printcert -file gd-bundle.der

Step 4. Import the root certificate into the JVM trust store

Enter the following command where $JAVA_HOME is a shell environment variable that points to your Java installation, e.g. to /usr/lib/jvm/java-8-oracle; for -alias pick some unique name for the certificate in the store:

keytool -importcert -alias startssl -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -file gd-bundle.der

(the default password for the CA store is changeit)

The keytool will prompt you for confirmation, enter yes to complete the operation.

Step 5. Verify that the root certificate has been imported

To do that list the trust store content and filter for the certificate alias (name) with grep:

keytool -keystore "$JAVA_HOME/jre/lib/security/cacerts" -storepass changeit -list | grep '^startssl\b'

You will now be able to make secure SSL/TLS connections to servers which have a certificate signed by the CA which we just imported.

Note: See TracWiki for help on using the wiki.

Download in other formats:

Plain Text