Pete Freitag Pete Freitag

Using Mozilla's Certificate Authority List for Java SSL


Every so often you run into an issue where you need to import a certificate signing authority's certificate into Java's cacerts certificate authority file. Oracle does a update the cacerts file every so often, but they never seam to be as up to date as a browser like FireFox.

Mozilla, the folks that make FireFox and other great internet software have a rigorous process for approving certificate signing authorities before allowing their software to trust the certificates they sign. Once a certificate has been approved it makes it way into the NSS (Network Security Services) libraries which is what FireFox and other software use to determine if they can trust a particular cert. The certificates can be found in the NSS source code: here.

Lots of linux /open source software uses Mozilla's list of certificate authorities, most notably is curl -- they have also built a nice utility to grab mozilla's source code and build a PEM file called mk-ca-bundle.

So we can use this utility to build a file that can replace the cacerts file that java ships with. We will use one additional utility called keyutil to convert the certificate file into a JKS (java keystore) file format. You could also potentially use openssl to convert the PEM file to PKCS12 and then import it using java's keytool executable.

Here's a shell script that builds the a java keystore out of the mozilla trusted certificate authority list.


curl -o certdata.txt ''

perl -n > ca-bundle.crt

java -jar keyutil-0.4.0.jar --import --new-keystore trustStore.jks --password changeit --import-pem-file ca-bundle.crt

Now you can specify the JVM arguments to have it use the new SSL certificate authority file:

If you specified a password other than changeit you will also need to pass the password into the JVM arguments:

Like this? Follow me ↯

Using Mozilla's Certificate Authority List for Java SSL was first published on June 06, 2014.

If you like reading about java, ssl, mozilla, or certificate then you might also like: