How to view and edit cacerts file?

StackOverflow https://stackoverflow.com/questions/20224446

Question

Using RAD 8.5 with WAS 8.5 runtime, I am getting an exception on my console:

The keystore located at "C:\IBM\Websphere85\jdk\jre\lib\security\cacerts" failed to load due to the following error: DerInputStream.getLength(): lengthTag=109, too big..

After searching for the error I got this link which suggests to edit the file and remove blank lines/extra characters.

How do I edit the file? I am on windows environment and the file seems to be base64 encoded.

Was it helpful?

Solution 2

Here's a way to actually solve this problem without the need to view or edit the file.

The default keyStore type is JKS and the WSKeyStore class assumes it to be a PKCS12 file which throws the above error. So we need to convert the cacerts file to .p12 format.

Using the keytool utility from command line I executed:

C:\IBM\WebSphere85\AppServer\java\bin>keytool -importkeystore ^
 -srckeystore C:\IBM\WebSphere85\AppServer\java\jre\lib\security\cacerts ^
 -destkeystore C:\IBM\WebSphere85\AppServer\java\jre\lib\security\cacerts.p12 ^
 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass changeit -deststorepass changeit -noprompt

which gave me a cacerts.p12 file which could be easily read by the above class.

References:

OTHER TIPS

As far as the original question, you can use the keytool command to view and edit a keystore like cacerts.

To view all keys in the keystore, use keytool -list:

$ keytool -list -keystore ${keystore.file}

where ${keystore.file} is the path to the cacerts file, in your case C:\IBM\Websphere85\jdk\jre\lib\security\cacerts.

To remove a specific key, use keytool -delete:

$ keytool -delete -alias ${cert.alias} -keystore ${keystore.file}

where ${cert.alias} is an existing key alias from the above -list command. *

To add a new key that was already generated elsewhere, use keytool -importcert:

$ keytool -importcert -alias ${cert.alias} -keystore ${keystore.file} -file ${cer.file}

where ${cer.file} is the path to an existing certificate or certificate chain.

Note that with each of these commands, you will be prompted for the keystore password which you can instead specify with the -storepass option. For example:

$ keytool -delete -noprompt -alias ${cert.alias} -keystore ${keystore.file} -storepass ${keystore.pass}

* The ${cert.alias} is the left-most value in the lines outputted from keytool -list.

For example, if this is the ouput from keytool -list:

$ keytool -list -keystore ./cacerts
Enter keystore password:  

Keystore type: jks
Keystore provider: SUN

Your keystore contains 2 entries

verisignclass1ca, Jun 29, 1998, trustedCertEntry,
    Certificate fingerprint (MD5): 51:86:E8:1F:BC:B1:C3:71:B5:18:10:DB:5F:DC:F6:20
verisignserverca, Jun 29, 1998, trustedCertEntry,
    Certificate fingerprint (MD5): 74:7B:82:03:43:F0:00:9E:6B:B3:EC:47:BF:85:A5:93

then verisignclass1ca and verisignserverca are aliases you can specify to delete.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top