Configuring Java to trust Windows PKI

There may be times when you have a Java / Java-Tomcat app that needs to make a TLS connection to a service using a WolfTech PKI generated certificate, like Java installs do not use the Windows OS certificate store, and instead, has it’s own certificate store. This article describes how to add the NCSU Root CA and WolfTech Enterprise subCA to the Java certificate store on the Windows platform.

Instructions here are based on a default installation of the 32-bit version of Java 7 Update 11 on 32-bit Windows 7/SP1 Enterprise. Probably works similarly on other platforms, but this was not tested and verified.

First, download the Base64 PEM public keys from, and save them to an appropriate directory. The filenames will be “NCSURootCA.Base64.pem” and “NCSUEnterpriseCA.Base64.pem”. Now, from an Administrator Command Prompt, copy the two files into the “C:\Program Files\Java\jre7\lib\security” to avoid having to type some Java commands with fully qualified paths later on.

As administrator, ensure you’re in the “C:\Program Files\Java\jre7\lib\security” directory. Java has it’s default trusted certificates in the cacerts file in this directory. At the command prompt, make a backup of this file.

copy cacerts cacerts.bak

Now, we will add the NCSURootCA first:

“C:\Program Files\Java\jre7\bin\keytool.exe” -importcert -file .\NCSURootCA.Base64.pem -alias ncsurootca -keystore .\cacerts -storepass changeit

When you run this command, it will print out some of the details of the cert and ask you to confirm that you want to add it. Answer “yes”.

Next, let’s add the WolfTech Enterprise subCA:

“C:\Program Files\Java\jre7\bin\keytool.exe” -importcert -file .\NCSUEnterpriseCA.Base64.pem -alias ncsuenterpriseca -keystore .\cacerts -storepass changeit

At this point, the certs are trusted by Java. Any currently running Java apps will need to be restarted. As multiple Java engines (such as a 64 bit version) can be installed on a machine, make sure that you are updating the specific Java install relevant to your app.

If you want to verify the root certs in the Java store, you can:

“C:\Program Files\Java\jre7\bin\keytool.exe” -list -keystore .\cacerts -storepass changeit

Look for the lines that show the aliases in the above commands.

If at any point you think the cacerts file goes awry, you can revert back to the original cacerts file by simply copying over it from the backup file made earlier.