Moving a Certificate from Windows to the Java Cacerts File

Recently I had a server with a java application that one day stopped authenticating users.  I was able to trace it back to the JDK  (java developer kit) that the java application software was using.  In the JDK’s keystore file (cacerts), the certificate used in its authentication was expired.  Below is the steps I took to move an updated certificate from Windows to the JDK cacerts keystore file.   Also this will work for updating the JRE’s (java runtime environment) keystore file (cacerts).

Note:  In my example I am going to use the Go Daddy certificate.  This certificate is probably similar to any certificate that would be used in your environment for authentication.  New version of the JDK already have the GoDaddy certificate in its keystore.

1. Open the Windows Certificate Manager by clicking the Start button, then typing certmgr.msc in the search text box and clicking the enter button.



2. Once the Windows Certificate Manager opens, in the left panel click on the “Trusted Root Certificate Authorities” folder, then click on the Certificates folder.  Then in the right panel, select the certificate that you going to copy.  In my example, I am choosing the Go Daddy certificate.


3.  Right click on the certificate highlighted, and scroll down to All Tasks, then click on Export.


4.  The Certificate Export Wizard will appear, click on the Next button.


5. The Export File Format screen will appear.  Leave it at the default “DER encoded binary X.509 (.CER)”.  Click the Next button.


6. In the File to Export screen, click the Browse button to name & save the certificate in the chosen location.


7.  I like to save the certificate in the same directory as the JDK’s keystore file (cacerts).  Name the certificate, and click the Save button.


8. This returns to the File to Export screen, click the Next button.


9.  The Completing the Certificate Export Wizard screen appears, click on the Finish button.


10.  A pop box may appear notifying that the export was successful.  Click the OK button, and the wizard closes.  It is now OK to close the Windows Certificate Manager.


11.  Next find the location of the keytool file, and the cacerts file in your JDK location. They will be needed for the importing of the certificate.

  • In my example, the keytool executable file was stored in the default location for the JDK: C:\Program Files\Java\jdk1.7.0_51\bin
  • In my example, the JDK keystore – cacerts file was stored in the default location for the JDK: C:\Program Files\Java\jdk1.7.0_51\jre\lib\security

12. Open a command prompt window to the directory that the keytool executable file is in, and test it by running the command: keytool -help


13. Enter the keytool command to import the certificate.  Please note that the alias is the name you want for the certificate, which in my example is: “GoDaddy”.  The double quotes are needed to if the name contains spaces.  In my example I used the full name with location for the cacerts file and the certificate that I am importing.

Note:  This certificate already exist in the keystore file by default, however I am still using it for this example.

keytool -import -alias <your alias name> -keystore <cacerts location> -trustcacerts -file <certificate location>


If prompted for a password, enter the one for your java keystore.  If a password was not set for this keystore, the default is: changeit

14.   Many line will scroll with security information regarding the certificate.  You will be prompted if you would like to trust this certificate.  Type yes, then click enter button.  Then the line returned will let you know if the certificate was added successfully.


Note: If you should get a error about writing the certificate, temporarily change the write permissions for the security folder where the cacerts file exists.

15.  Verify that the certificate was added by using the keytool command with the list option.  Enter the password again if prompted.

keytool -list -keystore <cacerts location>


16.  A long list will appear, and you will have search for your certificate to verify.


Note: In running the keytool list, piping the results to the find command will bring back the name & expiration date.  Again a password prompt may appear.

keytool -list -keystore <cacerts location> | find " <alias name> "

Final Note: After installing the certificate, may need to restart your java application for it to start using the new certificate.


Leave a Reply