How to view and edit cacerts file?

别来无恙 提交于 2019-12-10 12:49:33

问题


Using RAD 8.5 with WAS 8.5 runtime, I am getting an exception on my console:

The keystore located at "C:\IBM\Websphere85\jdk\jre\lib\security\cacerts" failed to load due to the following error: DerInputStream.getLength(): lengthTag=109, too big..

After searching for the error I got this link which suggests to edit the file and remove blank lines/extra characters.

How do I edit the file? I am on windows environment and the file seems to be base64 encoded.


回答1:


Here's a way to actually solve this problem without the need to view or edit the file.

The default keyStore type is JKS and the WSKeyStore class assumes it to be a PKCS12 file which throws the above error. So we need to convert the cacerts file to .p12 format.

Using the keytool utility from command line I executed:

C:\IBM\WebSphere85\AppServer\java\bin>keytool -importkeystore ^
 -srckeystore C:\IBM\WebSphere85\AppServer\java\jre\lib\security\cacerts ^
 -destkeystore C:\IBM\WebSphere85\AppServer\java\jre\lib\security\cacerts.p12 ^
 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass changeit -deststorepass changeit -noprompt

which gave me a cacerts.p12 file which could be easily read by the above class.

References:

  • IBM Error
  • Stackoverflow: convert .jks to .p12



回答2:


As far as the original question, you can use the keytool command to view and edit a keystore like cacerts.

To view all keys in the keystore, use keytool -list:

$ keytool -list -keystore ${keystore.file}

where ${keystore.file} is the path to the cacerts file, in your case C:\IBM\Websphere85\jdk\jre\lib\security\cacerts.

To remove a specific key, use keytool -delete:

$ keytool -delete -alias ${cert.alias} -keystore ${keystore.file}

where ${cert.alias} is an existing key alias from the above -list command. *

To add a new key that was already generated elsewhere, use keytool -importcert:

$ keytool -importcert -alias ${cert.alias} -keystore ${keystore.file} -file ${cer.file} 

where ${cer.file} is the path to an existing certificate or certificate chain.

Note that with each of these commands, you will be prompted for the keystore password which you can instead specify with the -storepass option. For example:

$ keytool -delete -noprompt -alias ${cert.alias} -keystore ${keystore.file} -storepass ${keystore.pass}

* The ${cert.alias} is the left-most value in the lines outputted from keytool -list.

For example, if this is the ouput from keytool -list:

$ keytool -list -keystore ./cacerts
Enter keystore password:  

Keystore type: jks
Keystore provider: SUN

Your keystore contains 2 entries

verisignclass1ca, Jun 29, 1998, trustedCertEntry,
    Certificate fingerprint (MD5): 51:86:E8:1F:BC:B1:C3:71:B5:18:10:DB:5F:DC:F6:20
verisignserverca, Jun 29, 1998, trustedCertEntry,
    Certificate fingerprint (MD5): 74:7B:82:03:43:F0:00:9E:6B:B3:EC:47:BF:85:A5:93

then verisignclass1ca and verisignserverca are aliases you can specify to delete.



来源:https://stackoverflow.com/questions/20224446/how-to-view-and-edit-cacerts-file

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!