Pete Freitag Pete Freitag

Using Mozilla's Certificate Authority List for Java SSL

Updated on November 17, 2023
By Pete Freitag
java

Every so often you run into an issue where you need to import a certificate signing authority's certificate into Java's cacerts certificate authority file. Oracle does a update the cacerts file every so often, but they never seam to be as up to date as a browser like FireFox.

Mozilla, the folks that make FireFox and other great internet software have a rigorous process for approving certificate signing authorities before allowing their software to trust the certificates they sign. Once a certificate has been approved it makes it way into the NSS (Network Security Services) libraries which is what FireFox and other software use to determine if they can trust a particular cert. The certificates can be found in the NSS source code: here.

Lots of linux /open source software uses Mozilla's list of certificate authorities, most notably is curl -- they have also built a nice utility to grab mozilla's source code and build a PEM file called mk-ca-bundle.

So we can use this utility to build a file that can replace the cacerts file that java ships with. We will use one additional utility called keyutil to convert the certificate file into a JKS (java keystore) file format. You could also potentially use openssl to convert the PEM file to PKCS12 and then import it using java's keytool executable.

Here's a shell script that builds the a java keystore out of the mozilla trusted certificate authority list.

#!/bin/sh

curl -o certdata.txt 'https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt'

perl mk-ca-bundle.pl -n > ca-bundle.crt

java -jar keyutil-0.4.0.jar --import --new-keystore trustStore.jks --password changeit --import-pem-file ca-bundle.crt

Now you can specify the JVM arguments to have it use the new SSL certificate authority file:

-Djavax.net.ssl.trustStore=/path/to/trustStore.jks

If you specified a password other than changeit you will also need to pass the password into the JVM arguments:

-Djavax.net.ssl.trustStorePassword=yourPassword


java ssl mozilla certificate

Using Mozilla's Certificate Authority List for Java SSL was first published on June 06, 2014.

If you like reading about java, ssl, mozilla, or certificate then you might also like:

Weekly Security Advisories Email

Advisory Week is a new weekly email containing security advisories published by major software vendors (Adobe, Apple, Microsoft, etc).