PSD1170 – How to make JRE trust Windows Cert – PhenixID Support (2024)

Table of Contents
Summary Prerequisite Overview JAVA default trust store Make JAVA use Windows trust store Configuration PhenixID Identity Provisioning (PIP) PhenixID Identity Manager (PIM) PhenixID Authentication Server (PAS) FAQs

Summary

PhenixID products is based on Java, which uses JRE’s trust store by default. This article explains how to configure PhenixID products to use Windows trust store when it is running on a Microsoft Windows system.

Prerequisite

PhenixID product installed on Windows OS.

Overview

JAVA default trust store

In most cases,we use a truststore when our application needs to communicate over SSL/TLS. Java has bundled a truststore calledcacertsand it resides in the$JAVA_HOME/jre/lib/securitydirectory.

See Also
About Microsoft Certificate StoresAdd the Root Certificate to Trusted Root Certification AuthoritiesConfirm That Certificates Are Deployed CorrectlyHow To Check And Verify ConfigMgr SCCM Mixed Mode Certificate Details Endpoint Manager HTMD Blog

Make JAVA use Windows trust store

When the PhenixID products is running on a Microsoft Windows environment, you can configure them to use the Windows environment’s trust store, so that the Windows administrators can manage the trusted certificates.
Configure the property javax.net.ssl.trustStoreType with value Windows-ROOT to instructs Java to refer to the native Windows ROOT keystore for trusted certificates, which includes root CAs.

Configuration

PhenixID Identity Provisioning (PIP)

Configure PIP use Windows keystore.

  1. Open Windows Explorer and find files:
    1. Provisioning Configurator.vmoptions
    2. Provisioning Service.vmoptions
  2. Open the files with an text editor
  3. Add the following JAVA option to both files
    1. -Djavax.net.ssl.trustStoreType=Windows-ROOT
  4. Save and close both files
  5. Restart PIP service and/or PIP Configurator

NOTE: An upgrade of PIP should keep this setting. But good practice is to verify the setting after an upgrade!

See Also
Generate and export certificates for User VPN P2S connections: PowerShell - Azure Virtual WAN

PhenixID Identity Manager (PIM)

Configure PIM use Windows keystore.

  1. Open Windows Explorer and find file:
    1. PhenixIDIMw.exe
      (\..\PhenixID\IM\server\bin)
  2. Launch PhenixIDIMw.exe
  3. Click JAVA tab
  4. Add in JAVA options:
    1. -Djavax.net.ssl.trustStoreType=Windows-ROOT
  5. Click OK
  6. Restart PIM service

NOTE: An upgrade of PIM should keep this setting. But good practice is to verify the setting after an upgrade!

PhenixID Authentication Server (PAS)

Please add the following java option to “phenixidservice.vmoptions”

-Djavax.net.ssl.trustStoreType=Windows-ROOT

DISCLAIMER

Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.

The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.

PhenixID - support.phenixid.se

PSD1170 – How to make JRE trust Windows Cert – PhenixID Support (2024)

FAQs

How to add SSL cert to the Java Trust Store Windows? ›

Add Certificate in the Java Truststore
  1. Identify the certification path.
  2. Export certificate in the Internet Explorer.
  3. Choose the export file format.
  4. Export certificate in Firefox.
  5. Import certificate in the truststore.
  6. Imported certificate in the truststore.

Read On
How to add CA cert to Java truststore? ›

Installing a Root Certificate in the Trust Store
  1. Import the root certificate. Execute the command JRE_HOME/bin/keytool -import -trustcacerts -alias certAlias -file certFile -keystore trustStoreFile. ...
  2. Confirm that you trust the certificate. ...
  3. Identify the trust store to the client application.

Discover More Details
How do I add .cer to truststore? ›

Procedure 8.3. Add a Certificate to a Truststore Using Keytool
  1. Run the keytool -import -alias ALIAS -file public.cert -storetype TYPE -keystore server.truststore command: ...
  2. If the specified truststore already exists, enter the existing password for that truststore, otherwise enter a new password:

Continue Reading
How to check javax.net.ssl truststore? ›

To determine what SSL/TLS keystore and truststore a Java™ application is using, you can set the JVM property javax. net. debug=true and re-create the error. sslsocket: SSL Socket created.

See Details
How to create a truststore? ›

You can create the truststore file as part of the import process. The Java keytool utility is available with the Java JRE, which is not available on the HMC. You must use the keytool utility from a computer where Java JRE is installed. You can use any name and password for the truststore file.

Find Out More
How do I add a trusted certificate in Windows? ›

Here are the steps to do this on a Windows 10/11 computer:
  1. Open the Run Dialog: Press Windows key + R to open the Run dialog.
  2. Open MMC: Type mmc into the Run dialog and press Enter. ...
  3. Add the Certificates Snap-in: ...
  4. Access the Trusted Root Certification Authorities: ...
  5. Manage Certificates: ...
  6. Close MMC:
6 days ago

Tell Me More
How to make Java trust a certificate? ›

Installing a Certificate as a Trusted Certificate in the Java...
  1. Create a Java Trust Store File for the Server and Add a Server Certificate to the Java Trust Store File.
  2. Create a Java Trust Store File for the Client and Add a Client Certificate to the Java Trust Store File.

Show Me More
How to update JVM Truststore? ›

The Java trust store is only updated when you update the JRE. If you want do add new CA certificates you need to do this in your own. In my experience this is not necessary for public CAs if you keep your JRE up to date.

Explore More
Where is the Java Trusted Certs file? ›

Java stores the trusted certificates in a special file named cacerts that lives inside our Java installation folder. The default password for this KeyStore is “changeit”, but it could be different if it was previously changed in our system.

Continue Reading
How to install certificate in JRE? ›

Procedure
  1. Locate the keystore location in the JRE. Typically this keystore is at JAVA_HOME\jre\lib\security\cacerts. ...
  2. Run the standard keytool to import the certificate, from JAVA_HOME\jre\lib\security. ...
  3. When prompted Enter keystore password:, enter "changeit" . ...
  4. When prompted Trust this certificate? [no]:, enter "yes".

Show Me More

How to check certificates in Java truststore? ›

Under Administration > Configuration, click Trusted Certificate Management. The Trusted Certificate Management page opens. Click Java Trust Store. The Java Trust Store tab lists the alias and expiration date of each certificate in the Java trust store.

Read The Full Story
How to install SSL certificate in JVM? ›

Using Portecle
  1. Download and install the Portecle app onto the server that runs your application. ...
  2. Ensure the <JAVA_HOME> variable is pointing to the same version of Java that your application uses. ...
  3. Select the Examine menu and then click Examine SSL/TLS Connection:
  4. Enter the SSL Host and Port of the target system:
Nov 29, 2023

See Details
What is the default password for JRE Truststore? ›

Default Trust Store

By default, the password for this Trust Store is "changeit".

Get More Info Here
How to set default truststore in Java? ›

The init method initializes the TrustManagerFactory with the given TrustStore. As a side note, Java KeyStore and TrustStore are both represented by the KeyStore Java class. So when we pass null as an argument, TrustManagerFactory would initialize itself with default TrustStore (cacerts).

Continue Reading
How to verify truststore? ›

To check the truststore for certificates
  1. From the command prompt or shell window, change your working directory to. ...
  2. Add the bin directory to the PATH environment variable: ...
  3. After the PATH variable is set, execute the following keytool command to place the contents into a certs.txt file: ...
  4. Check the certs.
Apr 23, 2014

View More
How to import SSL certificate into JDK? ›

Import a certificate to the Java Keystore
  1. Replace $JDK_HOME with your actual JDK home path.
  2. Replace $CERT with the path to your certificate the you previously installed to the system.
  3. Replace $ALIAS with the preferred alias to be used in the keystore.
  4. Note that changeit is the default password for Java's cacerts file.

View Details
How to enable SSL certificate verification in Java? ›

If I want Java to to connect to an SSL host, I usually follow these steps:
  1. Get the root certificate for the remote website. (Or, if it's a self-signed certificate, just grab that instead.)
  2. Add the root certificate(s) into the default Java truststore.
  3. Relaunch the Java application.

See More
How do I add a certificate to vCenter trust store? ›

Procedure
  1. Log in with the vSphere Client to the vCenter Server.
  2. Specify the user name and password for administrator@vsphere.local or another member of the vCenter Single Sign-On Administrators group. ...
  3. Navigate to the Certificate Management UI. ...
  4. If the system prompts you, enter the credentials of your vCenter Server.
Dec 18, 2023

Learn More
Where is the Java Trust Store in Windows? ›

JAVA default trust store

Java has bundled a truststore called cacerts and it resides in the $JAVA_HOME/jre/lib/security directory.

Discover More Details
Top Articles
9 Lucky Foods to Eat on New Year's Day
Don’t do laundry New Year’s Day, and other superstitions
60 Minutes - Episodes, interviews, profiles, reports and 60 Minutes Overtime - CBS News
Avocado Oil Mayonnaise
Vipboxtv Sports
WHISKER LITTER-ROBOT 4 SCHNELLSTARTANLEITUNG Pdf-Herunterladen
Latest Posts
I'm Still Surprised by the Benefits and Struggles of Life Off-Grid
These 19 New Year’s Foods Are Guaranteed To Bring You Good Luck In 2024
Article information

Author: Prof. An Powlowski

Last Updated:

Views: 5835

Rating: 4.3 / 5 (64 voted)

Reviews: 87% of readers found this page helpful

Author information

Name: Prof. An Powlowski

Birthday: 1992-09-29

Address: Apt. 994 8891 Orval Hill, Brittnyburgh, AZ 41023-0398

Phone: +26417467956738

Job: District Marketing Strategist

Hobby: Embroidery, Bodybuilding, Motor sports, Amateur radio, Wood carving, Whittling, Air sports

Introduction: My name is Prof. An Powlowski, I am a charming, helpful, attractive, good, graceful, thoughtful, vast person who loves writing and wants to share my knowledge and understanding with you.