Migrating Certificates between Java installations

Sometimes you want to upgrade your Java installation from one version to the next, and one thing you need to consider is whether you have imported any custom certificates into the local keystore that you’ll need to migrate. Maybe you are really diligent and keep track, or maybe you import certs as needed and you’re not sure what’s in there (shame on you)! You can’t just copy the cacerts file (where the certs are stored) over because different versions of Java have different certs distributed with them. This post will help you determine what certs you’ve added.

You’ll need to do steps like so:

    1) download a fresh copy of Java
    2) list the certs from its keystore
    3) list the certs in your current keystore
    4) compare the list of certs
    5) for certs you’ve added, extract to a .cert file and import to the new Java

The critical command for listing certs is easy if you’re in Linux. From the JDK installation’s jre/lib/security folder use the keytool:

keytool -list -keystore cacerts | grep "," | sort | awk -F, {'print $1'}

Once you have done this for a fresh copy of Java and your own installation of Java, you can diff these lists with the tool of your choice to find out what you’ve added over the years. The list is by alias, of course.

From there, it’s easy to migrate each cert to the new installation:

keytool -keystore <OldJDK>/jre/lib/security/cacerts -alias myalias -export -file <NewJDK>/jre/lib/security/myalias.cert
keytool -keystore <NewJDK>/jre/lib/security/cacerts -alias myalias -import -file <NewJDK>/jre/lib/security/myalias.cert
rm <NewJDK>/jre/lib/security/myalias.cert

Leave a comment

Filed under Software Engineering

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s