Julian's corner

Check the setup

To manage JVM certificates from command line it is necessary to have 'keytool', which is part of the standard java distribution.

Finding where the certs are stored is not difficult, just follow the yellow brick road.

1. Find JVM home

# Find Java home
root@VirtualBox:~# ls -l $(which java)
lrwxrwxrwx 1 root root 22 Dec 18 13:00 /usr/bin/java -> /etc/alternatives/java
root@jca-VirtualBox:~# ll /etc/alternatives/java
lrwxrwxrwx 1 root root 46 Dec 18 13:00 /etc/alternatives/java -> /usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java*

2. Find cacerts path

Now you know "/usr/lib/jvm/java-7-openjdk-amd64/jre/" is Java home. The default location for the certs is "{JAVA HOME}/lib/security/".

root@VirtualBox:~# ls -l /usr/lib/jvm/java-7-openjdk-amd64/jre/lib/security
total 8
lrwxrwxrwx 1 root root 27 Nov 19 11:39 cacerts -> /etc/ssl/certs/java/cacerts
lrwxrwxrwx 1 root root 40 Nov 19 11:39 java.policy -> /etc/java-7-openjdk/security/java.policy
lrwxrwxrwx 1 root root 42 Nov 19 11:39 java.security -> /etc/java-7-openjdk/security/java.security
-rw-r--r-- 1 root root 538 Dec 1 2007 local_policy.jar
lrwxrwxrwx 1 root root 36 Nov 19 11:39 nss.cfg -> /etc/java-7-openjdk/security/nss.cfg
-rw-r--r-- 1 root root 520 Dec 1 2007 US_export_policy.jar

In this system JVM certificate file is '/etc/ssl/certs/java/cacerts'.

3. Confirm that 'keytool' is available

root@VirtualBox:~# ls -l $(which keytool)
lrwxrwxrwx 1 root root 25 Dec 18 13:00 /usr/bin/keytool -> /etc/alternatives/keytool
root@VirtualBox:~# ll /etc/alternatives/keytool
lrwxrwxrwx 1 root root 49 Dec 18 13:00 /etc/alternatives/keytool -> /usr/lib/jvm/java-7-openjdk-amd64/jre/bin/keytool*

Just as expected 'keytool' is part of the standard java installation and is located at "{JAVA HOME}/jre/bin/keytool"

Add certificates to the system

Fetch the certificate

To fetch the certificate you can use the command showed below:

user@VirtualBox:~$ openssl s_client -connect {host}:{port} -showcerts 2>/dev/null | openssl x509 -inform PEM -text -out cert.pem

The resulting file ("cert.pem") will look something like this:

Update the certificate

I highly recommend to take a backup of the cacerts or keystore file so it is possible to go back to it in case something goes wrong

root@VirtualBox:~#: cp /etc/ssl/certs/java/cacerts /etc/ssl/certs/java/cacerts.back

To delete the old certificate you can use the next command: "keytool --delete -alias {alias} -keystore {cacert or keystore} -storepass {password}". Substitute {alias}, {cacerts or keystore} and {password} by the alias of the certificate you want to delete, the file in which it is stored and its password. The switch "-storepass" is optional, if not used you will be prompted to type the password for the certificate file.

root@VirtualBox:~#: keytool --delete -alias testcert -keystore cacerts -storepass changeit

To import the new certificate you can use the next command: "keytool --importcert -alias {alias} -file {file.crt} -keystore {cacerts file} [optional: -storepass {password}"

root@VirtualBox:~#: keytool --importcert -alias testcert -file cert.pem -keystore cacerts -storepass changeit

The difficult part now is to keep track of the certificates in all your servers and make sure none of them expires (especially in production). I have created a litle tool to acomplish this task. It can be set as a cronjob to run everyday and it will email you just 30 days before the certificate expires. I know is very simple but, it works.