Procedure to create a certificate chain recognized by java

3.5k views Asked by At

tl;dr - get KeyStore Explorer (http://keystore-explorer.org/) and save yourself a world of trouble.

p.s. - the keystore alias setting is extremely significant to certain java applications (for example: iDempiere in its Jetty provider ssl configuration (. . ./jettyhome/etc/jetty-ssl-context.xml). In these cases one must ensure that the alias of the certificate java is looking for matches the alias it is actually using to find it.

O.P.

I have a need to use a private CA and its certificates in a java application. I am unable to discover how a private CA root certificate and its intermediates are added to the java trusted certificates. I have found and read multiple articles on how this is supposed to be done but my efforts are not able to accomplish what I need.

I am using OpenJDK11. The java cacerts fie is located in /usr/local/openjdk11/lib/security/cacerts. This, I believe contains the trusted certificate list used by Java.

I have manually added the private CA root and intermediate certificates to this store:

cp -p /usr/local/openjdk11/lib/security/cacerts /usr/local/openjdk11/lib/security/cacerts.cln
cp -p /usr/local/openjdk11/lib/security/cacerts /root/hll_jdk11_cacerts

JAVA_VERSION="11" keytool -import   \
  -trustcacerts   \
  -file /usr/local/etc/pki/tls/certs/CA_HLL_ROOT_2016.crt  \
  -alias 'hartelyneroot2016 [hll]'  \
  -keystore /root/hll_jdk11_cacerts

JAVA_VERSION="11" keytool -import  \
   -trustcacerts  \
   -file /usr/local/etc/pki/tls/certs/CA_HLL_ISSUER_2016.crt \
   -alias 'hartelyneissuer2016 [hll]'  \
   -keystore /root/hll_jdk11_cacerts

JAVA_VERSION="11" keytool -list  -rfc  -keystore /root/hll_jdk11_cacerts | grep hll
Enter keystore password:  changeit
Alias name: hartelyneissuer2016 [hll]
Alias name: hartelyneroot2016 [hll]

cp -p /root/hll_jdk11_cacerts /usr/local/openjdk11/lib/security/cacerts

As far as I can determine, certificates issued by CA_HLL_ISSUER_2016 and CA_HLL_ROOT_2016 should now be recognized as trusted by java on this host. But, they are not. I need to discover why.

JAVA_VERSION="11" java SSLPoke google.ca 443
Successfully connected

JAVA_VERSION="11" java SSLPoke webmail.harte-lyne.ca 443
sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchor

But I have no trouble with openssl s_client:

openssl s_client -connect webmail.harte-lyne.ca:443
CONNECTED(00000003)
depth=2 CN = CA_HLL_ROOT_2016, ST = Ontario, O = Harte & Lyne Limited, OU = Networked Data Services, C = CA, DC = harte-lyne, DC = ca, L = Hamilton
verify return:1
depth=1 CN = CA_HLL_ISSUER_2016, OU = Networked Data Services, O = Harte & Lyne Limited, L = Hamilton, ST = Ontario, C = CA, DC = harte-lyne, DC = ca
verify return:1
depth=0 CN = webmail.hamilton.harte-lyne.ca, OU = Networked Data Services, O = Harte & Lyne Limited, L = Hamilton, ST = Ontario, C = CA, DC = hamilton, DC = harte-lyne, DC = ca
verify return:1
---
Certificate chain
 0 s:CN = webmail.hamilton.harte-lyne.ca, OU = Networked Data Services, O = Harte & Lyne Limited, L = Hamilton, ST = Ontario, C = CA, DC = hamilton, DC = harte-lyne, DC = ca
   i:CN = CA_HLL_ISSUER_2016, OU = Networked Data Services, O = Harte & Lyne Limited, L = Hamilton, ST = Ontario, C = CA, DC = harte-lyne, DC = ca
 1 s:CN = CA_HLL_ISSUER_2016, OU = Networked Data Services, O = Harte & Lyne Limited, L = Hamilton, ST = Ontario, C = CA, DC = harte-lyne, DC = ca
   i:CN = CA_HLL_ROOT_2016, ST = Ontario, O = Harte & Lyne Limited, OU = Networked Data Services, C = CA, DC = harte-lyne, DC = ca, L = Hamilton
 2 s:CN = CA_HLL_ROOT_2016, ST = Ontario, O = Harte & Lyne Limited, OU = Networked Data Services, C = CA, DC = harte-lyne, DC = ca, L = Hamilton
   i:CN = CA_HLL_ROOT_2016, ST = Ontario, O = Harte & Lyne Limited, OU = Networked Data Services, C = CA, DC = harte-lyne, DC = ca, L = Hamilton
---
Server certificate
-----BEGIN CERTIFICATE-----

. . .

---
Acceptable client certificate CA names
. . .
CN = CA_HLL_ROOT_2016, ST = Ontario, O = Harte & Lyne Limited, OU = Networked Data Services, C = CA, DC = harte-lyne, DC = ca, L = Hamilton
. . .
CN = CA_HLL_ISSUER_2016, OU = Networked Data Services, O = Harte & Lyne Limited, L = Hamilton, ST = Ontario, C = CA, DC = harte-lyne, DC = ca
. . .

What am I missing here? How does one add private CAs to the Java truststore?

Following the suggestion given in the answer I did exactly this in the order given:

openssl s_client -connect webmail.harte-lyne.ca:443 -showcerts > harte.crt

JAVA_VERSION="11" keytool -import -alias harte -file harte.crt -keystore cacerts -storepass changeit
. . .
Trust this certificate? [no]:  yes
Certificate was added to keystore

JAVA_VERSION="11" java  SSLPoke webmail.harte-lyne.ca 443
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I am encountering a bug in OpenJDK?

2

There are 2 answers

2
Margus Pala On

I understand that you want to perform client certificate authentication on some HTTPS call. Trusting the certificate is not enough. You need to use keypair that has been signed with this CA for the HTTPS handshake to succeed.

Try something like this

String keyPassphrase = "";

KeyStore keyStore = KeyStore.getInstance("PKCS12");
keyStore.load(new FileInputStream("cert-key-pair.pfx"), keyPassphrase.toCharArray());

SSLContext sslContext = SSLContexts.custom()
        .loadKeyMaterial(keyStore, null)
        .build();

HttpClient httpClient = HttpClients.custom().setSSLContext(sslContext).build();
HttpResponse response = httpClient.execute(new HttpGet("https://example.com"));
1
dave_thompson_085 On

No, the alias does not matter for the default trustmanager (which is used by SSLPoke), nor any other I have seen. You must have a correct certificate (which necessarily contains a correct CN) in the keystore used as truststore, but the alias does not matter. Since it hard to understand and impossible to reproduce what exists on your system, here is a log from scratch of an AWS EC2 t2.micro instance using Amazon Linux 2 ami-0a0ad6b70e61be944, and the openjdk 11 available for that system which is Amazon Corretto, which anyone should be able to reproduce.

Part 1 -- fails to validate with default cacerts

[ec2-user@ip-172-31-21-185 ~]$ sudo yum install java-11-amazon-corretto-headless
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
amzn2-core                                               | 3.7 kB     00:00
Resolving Dependencies
--> Running transaction check
---> Package java-11-amazon-corretto-headless.x86_64 1:11.0.9+12-1.amzn2 will be installed
--> Processing Dependency: fontconfig for package: 1:java-11-amazon-corretto-headless-11.0.9+12-1.amzn2.x86_64
--> Processing Dependency: jpackage-utils for package: 1:java-11-amazon-corretto-headless-11.0.9+12-1.amzn2.x86_64
--> Running transaction check
---> Package fontconfig.x86_64 0:2.13.0-4.3.amzn2 will be installed
--> Processing Dependency: fontpackages-filesystem for package: fontconfig-2.13.0-4.3.amzn2.x86_64
--> Processing Dependency: dejavu-sans-fonts for package: fontconfig-2.13.0-4.3.amzn2.x86_64
---> Package javapackages-tools.noarch 0:3.4.1-11.amzn2 will be installed
--> Processing Dependency: python-javapackages = 3.4.1-11.amzn2 for package: javapackages-tools-3.4.1-11.amzn2.noarch
--> Processing Dependency: libxslt for package: javapackages-tools-3.4.1-11.amzn2.noarch
--> Running transaction check
---> Package dejavu-sans-fonts.noarch 0:2.33-6.amzn2 will be installed
--> Processing Dependency: dejavu-fonts-common = 2.33-6.amzn2 for package: dejavu-sans-fonts-2.33-6.amzn2.noarch
---> Package fontpackages-filesystem.noarch 0:1.44-8.amzn2 will be installed
---> Package libxslt.x86_64 0:1.1.28-6.amzn2 will be installed
---> Package python-javapackages.noarch 0:3.4.1-11.amzn2 will be installed
--> Processing Dependency: python-lxml for package: python-javapackages-3.4.1-11.amzn2.noarch
--> Running transaction check
---> Package dejavu-fonts-common.noarch 0:2.33-6.amzn2 will be installed
---> Package python-lxml.x86_64 0:3.2.1-4.amzn2.0.2 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package                          Arch   Version               Repository  Size
================================================================================
Installing:
 java-11-amazon-corretto-headless x86_64 1:11.0.9+12-1.amzn2   amzn2-core 163 M
Installing for dependencies:
 dejavu-fonts-common              noarch 2.33-6.amzn2          amzn2-core  64 k
 dejavu-sans-fonts                noarch 2.33-6.amzn2          amzn2-core 1.4 M
 fontconfig                       x86_64 2.13.0-4.3.amzn2      amzn2-core 253 k
 fontpackages-filesystem          noarch 1.44-8.amzn2          amzn2-core  10 k
 javapackages-tools               noarch 3.4.1-11.amzn2        amzn2-core  73 k
 libxslt                          x86_64 1.1.28-6.amzn2        amzn2-core 240 k
 python-javapackages              noarch 3.4.1-11.amzn2        amzn2-core  31 k
 python-lxml                      x86_64 3.2.1-4.amzn2.0.2     amzn2-core 1.0 M

Transaction Summary
================================================================================
Install  1 Package (+8 Dependent packages)

Total download size: 166 M
Installed size: 312 M
Is this ok [y/d/N]: y
Downloading packages:
(1/9): dejavu-fonts-common-2.33-6.amzn2.noarch.rpm         |  64 kB   00:00
(2/9): dejavu-sans-fonts-2.33-6.amzn2.noarch.rpm           | 1.4 MB   00:00
(3/9): fontconfig-2.13.0-4.3.amzn2.x86_64.rpm              | 253 kB   00:00
(4/9): fontpackages-filesystem-1.44-8.amzn2.noarch.rpm     |  10 kB   00:00
(5/9): javapackages-tools-3.4.1-11.amzn2.noarch.rpm        |  73 kB   00:00
(6/9): libxslt-1.1.28-6.amzn2.x86_64.rpm                   | 240 kB   00:00
(7/9): python-javapackages-3.4.1-11.amzn2.noarch.rpm       |  31 kB   00:00
(8/9): python-lxml-3.2.1-4.amzn2.0.2.x86_64.rpm            | 1.0 MB   00:00
(9/9): java-11-amazon-corretto-headless-11.0.9+12-1.amzn2. | 163 MB   00:02
--------------------------------------------------------------------------------
Total                                               69 MB/s | 166 MB  00:02
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : fontpackages-filesystem-1.44-8.amzn2.noarch                  1/9
  Installing : libxslt-1.1.28-6.amzn2.x86_64                                2/9
  Installing : python-lxml-3.2.1-4.amzn2.0.2.x86_64                         3/9
  Installing : python-javapackages-3.4.1-11.amzn2.noarch                    4/9
  Installing : javapackages-tools-3.4.1-11.amzn2.noarch                     5/9
  Installing : dejavu-fonts-common-2.33-6.amzn2.noarch                      6/9
  Installing : dejavu-sans-fonts-2.33-6.amzn2.noarch                        7/9
  Installing : fontconfig-2.13.0-4.3.amzn2.x86_64                           8/9
  Installing : 1:java-11-amazon-corretto-headless-11.0.9+12-1.amzn2.x86_6   9/9
  Verifying  : 1:java-11-amazon-corretto-headless-11.0.9+12-1.amzn2.x86_6   1/9
  Verifying  : python-lxml-3.2.1-4.amzn2.0.2.x86_64                         2/9
  Verifying  : libxslt-1.1.28-6.amzn2.x86_64                                3/9
  Verifying  : dejavu-sans-fonts-2.33-6.amzn2.noarch                        4/9
  Verifying  : fontconfig-2.13.0-4.3.amzn2.x86_64                           5/9
  Verifying  : python-javapackages-3.4.1-11.amzn2.noarch                    6/9
  Verifying  : fontpackages-filesystem-1.44-8.amzn2.noarch                  7/9
  Verifying  : dejavu-fonts-common-2.33-6.amzn2.noarch                      8/9
  Verifying  : javapackages-tools-3.4.1-11.amzn2.noarch                     9/9

Installed:
  java-11-amazon-corretto-headless.x86_64 1:11.0.9+12-1.amzn2

Dependency Installed:
  dejavu-fonts-common.noarch 0:2.33-6.amzn2
  dejavu-sans-fonts.noarch 0:2.33-6.amzn2
  fontconfig.x86_64 0:2.13.0-4.3.amzn2
  fontpackages-filesystem.noarch 0:1.44-8.amzn2
  javapackages-tools.noarch 0:3.4.1-11.amzn2
  libxslt.x86_64 0:1.1.28-6.amzn2
  python-javapackages.noarch 0:3.4.1-11.amzn2
  python-lxml.x86_64 0:3.2.1-4.amzn2.0.2

Complete!
[ec2-user@ip-172-31-21-185 ~]$
[ec2-user@ip-172-31-21-185 ~]$
[ec2-user@ip-172-31-21-185 ~]$ curl https://confluence.atlassian.com/kb/files/779355358/779355357/1/1441897666313/SSLPoke.class -O
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1959  100  1959    0     0  13992      0 --:--:-- --:--:-- --:--:-- 13992
[ec2-user@ip-172-31-21-185 ~]$
[ec2-user@ip-172-31-21-185 ~]$ java SSLPoke webmail.harte-lyne.ca 443
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
        at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
        at java.base/sun.security.validator.Validator.validate(Validator.java:264)
        at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
        at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
        at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
        at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422)
        at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:183)
        at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:171)
        at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1408)
        at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1314)
        at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:440)
        at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:819)
        at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1189)
        at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1161)
        at SSLPoke.main(SSLPoke.java:31)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
        at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
        at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
        at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
        ... 20 more
[ec2-user@ip-172-31-21-185 ~]$

Part 2 -- get the root cert with openssl

[ec2-user@ip-172-31-21-185 ~]$ openssl s_client -connect webmail.harte-lyne.ca:443 -showcerts </dev/null 2>/dev/null | awk '/-BEGIN CERT/&&++n==3,/-END CERT/' | tee cert.pem | openssl x509  -subject -issuer -dates -fingerprint
subject= /CN=CA_HLL_ROOT_2016/ST=Ontario/O=Harte & Lyne Limited/OU=Networked Data Services/C=CA/DC=harte-lyne/DC=ca/L=Hamilton
issuer= /CN=CA_HLL_ROOT_2016/ST=Ontario/O=Harte & Lyne Limited/OU=Networked Data Services/C=CA/DC=harte-lyne/DC=ca/L=Hamilton
notBefore=Nov  1 00:00:00 2016 GMT
notAfter=Oct 31 23:59:59 2036 GMT
SHA1 Fingerprint=09:84:38:AD:7C:E7:E1:7D:78:FE:93:CD:2A:2F:3F:3E:AF:98:C2:0F
-----BEGIN CERTIFICATE-----
MIIJDTCCBvWgAwIBAgIBATANBgkqhkiG9w0BAQ0FADCBvjEZMBcGA1UEAxQQQ0Ff
SExMX1JPT1RfMjAxNjEQMA4GA1UECBMHT250YXJpbzEdMBsGA1UEChQUSGFydGUg
JiBMeW5lIExpbWl0ZWQxIDAeBgNVBAsTF05ldHdvcmtlZCBEYXRhIFNlcnZpY2Vz
MQswCQYDVQQGEwJDQTEaMBgGCgmSJomT8ixkARkTCmhhcnRlLWx5bmUxEjAQBgoJ
kiaJk/IsZAEZEwJjYTERMA8GA1UEBxMISGFtaWx0b24wIhgPMjAxNjExMDEwMDAw
MDBaGA8yMDM2MTAzMTIzNTk1OVowgb4xGTAXBgNVBAMUEENBX0hMTF9ST09UXzIw
MTYxEDAOBgNVBAgTB09udGFyaW8xHTAbBgNVBAoUFEhhcnRlICYgTHluZSBMaW1p
dGVkMSAwHgYDVQQLExdOZXR3b3JrZWQgRGF0YSBTZXJ2aWNlczELMAkGA1UEBhMC
Q0ExGjAYBgoJkiaJk/IsZAEZEwpoYXJ0ZS1seW5lMRIwEAYKCZImiZPyLGQBGRMC
Y2ExETAPBgNVBAcTCEhhbWlsdG9uMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
CgKCAgEAulIsSVsyYwmUIk2C6TvpPolRPPGR4R24ikRF2deR3Re0JHvhl4pAxdRb
LjVeOKg6729Ovue6WYryaveTerNfXEzkz2jyK8m1C1uvTKjKOT1rQJGtb/Okn8Ka
dU2KrSrQLzm5y5qSZC+oRtuqIpBLshkvm80vWz9NJSd00h/B1He5KPYM7OR5M5IB
Fs/oYkFJPNNGAGEsPxHEgmCQkCj3caf7mBBgi+ZTEXV2wloZiKt4C+9OZoM4hSAK
NqhViFmljWnoHWcDFn2/XdPmVaVMxGK1Mp7M+uOvcIDTQCwKcmsDvhtprEksq7FL
kI7LniJkkctUgvCM9yniTXZUvAxp7Yse7YGowjUDBcUWFV2PeYG9e2fvM/SFf/KT
SjE+2qds4PHDHpG7KwQ0AVZvnMG1SVjwtS2r/1sRoOU8Rvdgz9Ugxw9y93arywS8
xDZtm0zlvQRN8rFg5fvFEmOTRYE9Au8g3XuZP7eB9V4rDL0fH5OgLYEm3+O8JQuo
7E8rKOBysO13AwU7upbVQZXvKbgXpcQ4tM7mTPnUh8ZS39SRWqj0fJs0n3j2EgOi
B8HEMaf+z/+t6XGGxcTkQsRp+2eBFK+5d5FA+HAFmYxnpHBYFoFe02/DJvlxH/JY
Wpct0U/UlS9R3EcbW93G4cR0y9sFlMl+uo0wRDA1j4lqCSc/wScCAwEAAaOCAw4w
ggMKMB0GA1UdDgQWBBSX5KGHlEmRjdrdWqYxi1XPyg9lyzCB6wYDVR0jBIHjMIHg
gBSX5KGHlEmRjdrdWqYxi1XPyg9ly6GBxKSBwTCBvjEZMBcGA1UEAxQQQ0FfSExM
X1JPT1RfMjAxNjEQMA4GA1UECBMHT250YXJpbzEdMBsGA1UEChQUSGFydGUgJiBM
eW5lIExpbWl0ZWQxIDAeBgNVBAsTF05ldHdvcmtlZCBEYXRhIFNlcnZpY2VzMQsw
CQYDVQQGEwJDQTEaMBgGCgmSJomT8ixkARkTCmhhcnRlLWx5bmUxEjAQBgoJkiaJ
k/IsZAEZEwJjYTERMA8GA1UEBxMISGFtaWx0b26CAQEwPgYDVR0SBDcwNYEaY2Vy
dGlmaWNhdGVzQGhhcnRlLWx5bmUuY2GGF2h0dHA6Ly9jYS5oYXJ0ZS1seW5lLmNh
MCUGA1UdEQQeMByBGmNlcnRpZmljYXRlc0BoYXJ0ZS1seW5lLmNhMA8GA1UdEwEB
/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIABzCBiAYD
VR0gBIGAMH4wfAYNKwYBBAGC3lBkCgoCATBrMCcGCCsGAQUFBwIBFhtodHRwOi8v
Y2EuaGFydGUtbHluZS5jYS9DUFMwQAYIKwYBBQUHAgIwNBoyTGltaXRlZCBMaWFi
aWxpdHksIHNlZSBodHRwOi8vY2EuaGFydGUtbHluZS5jYS9DUFMwQgYJYIZIAYb4
QgEEBDUWM2h0dHA6Ly9jYS5oYXJ0ZS1seW5lLmNhL0NBX0hMTF9ST09UXzIwMTYv
Y3JsLXYxLmNybDBLBggrBgEFBQcBAQQ/MD0wOwYIKwYBBQUHMAKGL2h0dHA6Ly9j
YS5oYXJ0ZS1seW5lLmNhL0NBX0hMTF9ST09UXzIwMTYvY2EuY3J0MEQGA1UdHwQ9
MDswOaA3oDWGM2h0dHA6Ly9jYS5oYXJ0ZS1seW5lLmNhL0NBX0hMTF9ST09UXzIw
MTYvY3JsLXYyLmNybDANBgkqhkiG9w0BAQ0FAAOCAgEAPnbB2OznhgKcBn2WklGL
8BN6XDvXpShSPh+Myf+yaOYQUvrghQj9fTHnYkV98XFT/YgNbcd0B8x4O/BXosZj
PkbNZkiluWZLK/rZ0nEDAxVbrANJna7V3+zbppGZqo0FkZdDoYvqy+3AaUpDAvFG
ZLYhiY5nVrnGi3IYu88D+EKSoO0+nGMtFFMmb1e/j8xv4aw8pzWt+DrJb8id1WmR
1Y8uq0BsAPTJOipMRPWpDrSl6kgTk/iFyHa1z6l+9H/gKZ5o1YteSde4VPVPQ1fX
FOBVcPoT4IpycjzPhuMfxRzb7pMWYr3YIabv9Te2Sk49xGDt3y8w8ZQqNBH28e7N
DcX8P2rw9BWDIO966uuMc3kgAcb8WcPxuwHiy0xrFknOYkZz5ATzRInS3DRhfRo2
I6YnXmKeV2dy43+5Ry+tDzt/WEdMn9JHnxNlRr0HFMfHgi0J+xyQDAyL6qbVZkVE
28c7x6aKGM2F3h6/o/XpreFKXElk+gD+ZabOyvWF5wuRPZ4huY6G9IX+HOZjKehO
7P3BvDcbVgOFFasM6AJAQ26GuiRX+aAhsf/x2BbFfFFLogB7g3/+NCZx5jli4X4w
WlBbbD9hVQQGLDwa8ZhIrY0ANM8BxHBHTbq8NojS63/Jdbb/fAhIwo6R1XwvpYmZ
FQ3+QhcVPUI8v6WZF2wOxcU=
-----END CERTIFICATE-----
[ec2-user@ip-172-31-21-185 ~]$ 

Part 3 -- modify and use cacerts; alias can be anything

[ec2-user@ip-172-31-21-185 ~]$ 
[ec2-user@ip-172-31-21-185 ~]$ sudo cp /usr/lib/jvm/java-11-amazon-corretto.x86_64/lib/security/cacerts save
[ec2-user@ip-172-31-21-185 ~]$ sudo keytool -cacerts -storepass changeit -importcert -file cert.pem -alias cookiemonster
Owner: L=Hamilton, DC=ca, DC=harte-lyne, C=CA, OU=Networked Data Services, O=Harte & Lyne Limited, ST=Ontario, CN=CA_HLL_ROOT_2016
Issuer: L=Hamilton, DC=ca, DC=harte-lyne, C=CA, OU=Networked Data Services, O=Harte & Lyne Limited, ST=Ontario, CN=CA_HLL_ROOT_2016
Serial number: 1
Valid from: Tue Nov 01 00:00:00 UTC 2016 until: Fri Oct 31 23:59:59 UTC 2036
Certificate fingerprints:
         SHA1: 09:84:38:AD:7C:E7:E1:7D:78:FE:93:CD:2A:2F:3F:3E:AF:98:C2:0F
         SHA256: 88:11:D6:A7:95:2A:DD:AE:0E:7E:B7:3B:74:BF:E5:0F:12:00:AF:18:F9:5F:1A:CC:A3:51:DF:DB:7F:14:B5:B4
Signature algorithm name: SHA512withRSA
Subject Public Key Algorithm: 4096-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.16.840.1.113730.1.4 Criticality=false
0000: 16 33 68 74 74 70 3A 2F   2F 63 61 2E 68 61 72 74  .3http://ca.hart
0010: 65 2D 6C 79 6E 65 2E 63   61 2F 43 41 5F 48 4C 4C  e-lyne.ca/CA_HLL
0020: 5F 52 4F 4F 54 5F 32 30   31 36 2F 63 72 6C 2D 76  _ROOT_2016/crl-v
0030: 31 2E 63 72 6C                                     1.crl


#2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: caIssuers
   accessLocation: URIName: http://ca.harte-lyne.ca/CA_HLL_ROOT_2016/ca.crt
]
]

#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 97 E4 A1 87 94 49 91 8D   DA DD 5A A6 31 8B 55 CF  .....I....Z.1.U.
0010: CA 0F 65 CB                                        ..e.
]
[L=Hamilton, DC=ca, DC=harte-lyne, C=CA, OU=Networked Data Services, O=Harte & Lyne Limited, ST=Ontario, CN=CA_HLL_ROOT_2016]
SerialNumber: [    01]
]

#4: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#5: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://ca.harte-lyne.ca/CA_HLL_ROOT_2016/crl-v2.crl]
]]

#6: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [1.3.6.1.4.1.44880.100.10.10.2.1]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 1B 68 74 74 70 3A 2F   2F 63 61 2E 68 61 72 74  ..http://ca.hart
0010: 65 2D 6C 79 6E 65 2E 63   61 2F 43 50 53           e-lyne.ca/CPS

], PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.2
  qualifier: 0000: 30 34 1A 32 4C 69 6D 69   74 65 64 20 4C 69 61 62  04.2Limited Liab
0010: 69 6C 69 74 79 2C 20 73   65 65 20 68 74 74 70 3A  ility, see http:
0020: 2F 2F 63 61 2E 68 61 72   74 65 2D 6C 79 6E 65 2E  //ca.harte-lyne.
0030: 63 61 2F 43 50 53                                  ca/CPS

]]  ]
]

#7: ObjectId: 2.5.29.18 Criticality=false
IssuerAlternativeName [
  RFC822Name: [email protected]
  URIName: http://ca.harte-lyne.ca
]

#8: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

#9: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
   SSL CA
   S/MIME CA
   Object Signing CA]

#10: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  RFC822Name: [email protected]
]

#11: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 97 E4 A1 87 94 49 91 8D   DA DD 5A A6 31 8B 55 CF  .....I....Z.1.U.
0010: CA 0F 65 CB                                        ..e.
]
]

Trust this certificate? [no]:  yes
Certificate was added to keystore
[ec2-user@ip-172-31-21-185 ~]$
[ec2-user@ip-172-31-21-185 ~]$ java SSLPoke webmail.harte-lyne.ca 443
Successfully connected
[ec2-user@ip-172-31-21-185 ~]$
[ec2-user@ip-172-31-21-185 ~]$ sudo cp save /usr/lib/jvm/java-11-amazon-corretto.x86_64/lib/security/cacerts
[ec2-user@ip-172-31-21-185 ~]$ sudo keytool -cacerts -storepass changeit -importcert -file cert.pem -alias 'bigbird [xyz]'
Owner: L=Hamilton, DC=ca, DC=harte-lyne, C=CA, OU=Networked Data Services, O=Harte & Lyne Limited, ST=Ontario, CN=CA_HLL_ROOT_2016
Issuer: L=Hamilton, DC=ca, DC=harte-lyne, C=CA, OU=Networked Data Services, O=Harte & Lyne Limited, ST=Ontario, CN=CA_HLL_ROOT_2016
Serial number: 1
Valid from: Tue Nov 01 00:00:00 UTC 2016 until: Fri Oct 31 23:59:59 UTC 2036
Certificate fingerprints:
         SHA1: 09:84:38:AD:7C:E7:E1:7D:78:FE:93:CD:2A:2F:3F:3E:AF:98:C2:0F
         SHA256: 88:11:D6:A7:95:2A:DD:AE:0E:7E:B7:3B:74:BF:E5:0F:12:00:AF:18:F9:5F:1A:CC:A3:51:DF:DB:7F:14:B5:B4
Signature algorithm name: SHA512withRSA
Subject Public Key Algorithm: 4096-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.16.840.1.113730.1.4 Criticality=false
0000: 16 33 68 74 74 70 3A 2F   2F 63 61 2E 68 61 72 74  .3http://ca.hart
0010: 65 2D 6C 79 6E 65 2E 63   61 2F 43 41 5F 48 4C 4C  e-lyne.ca/CA_HLL
0020: 5F 52 4F 4F 54 5F 32 30   31 36 2F 63 72 6C 2D 76  _ROOT_2016/crl-v
0030: 31 2E 63 72 6C                                     1.crl


#2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: caIssuers
   accessLocation: URIName: http://ca.harte-lyne.ca/CA_HLL_ROOT_2016/ca.crt
]
]

#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 97 E4 A1 87 94 49 91 8D   DA DD 5A A6 31 8B 55 CF  .....I....Z.1.U.
0010: CA 0F 65 CB                                        ..e.
]
[L=Hamilton, DC=ca, DC=harte-lyne, C=CA, OU=Networked Data Services, O=Harte & Lyne Limited, ST=Ontario, CN=CA_HLL_ROOT_2016]
SerialNumber: [    01]
]

#4: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#5: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://ca.harte-lyne.ca/CA_HLL_ROOT_2016/crl-v2.crl]
]]

#6: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [1.3.6.1.4.1.44880.100.10.10.2.1]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 1B 68 74 74 70 3A 2F   2F 63 61 2E 68 61 72 74  ..http://ca.hart
0010: 65 2D 6C 79 6E 65 2E 63   61 2F 43 50 53           e-lyne.ca/CPS

], PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.2
  qualifier: 0000: 30 34 1A 32 4C 69 6D 69   74 65 64 20 4C 69 61 62  04.2Limited Liab
0010: 69 6C 69 74 79 2C 20 73   65 65 20 68 74 74 70 3A  ility, see http:
0020: 2F 2F 63 61 2E 68 61 72   74 65 2D 6C 79 6E 65 2E  //ca.harte-lyne.
0030: 63 61 2F 43 50 53                                  ca/CPS

]]  ]
]

#7: ObjectId: 2.5.29.18 Criticality=false
IssuerAlternativeName [
  RFC822Name: [email protected]
  URIName: http://ca.harte-lyne.ca
]

#8: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

#9: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
   SSL CA
   S/MIME CA
   Object Signing CA]

#10: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  RFC822Name: [email protected]
]

#11: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 97 E4 A1 87 94 49 91 8D   DA DD 5A A6 31 8B 55 CF  .....I....Z.1.U.
0010: CA 0F 65 CB                                        ..e.
]
]

Trust this certificate? [no]:  yes
Certificate was added to keystore
[ec2-user@ip-172-31-21-185 ~]$ java SSLPoke webmail.harte-lyne.ca 443           Successfully connected
[ec2-user@ip-172-31-21-185 ~]$

Part 4 -- use own (custom) keystore(s); ditto

[ec2-user@ip-172-31-21-185 ~]$ sudo cp save /usr/lib/jvm/java-11-amazon-corretto.x86_64/lib/security/cacerts
[ec2-user@ip-172-31-21-185 ~]$ keytool -keystore sep1 -storepass changeit -importcert -file cert.pem -alias cookiemonster
Owner: L=Hamilton, DC=ca, DC=harte-lyne, C=CA, OU=Networked Data Services, O=Harte & Lyne Limited, ST=Ontario, CN=CA_HLL_ROOT_2016
Issuer: L=Hamilton, DC=ca, DC=harte-lyne, C=CA, OU=Networked Data Services, O=Harte & Lyne Limited, ST=Ontario, CN=CA_HLL_ROOT_2016
Serial number: 1
Valid from: Tue Nov 01 00:00:00 UTC 2016 until: Fri Oct 31 23:59:59 UTC 2036
Certificate fingerprints:
         SHA1: 09:84:38:AD:7C:E7:E1:7D:78:FE:93:CD:2A:2F:3F:3E:AF:98:C2:0F
         SHA256: 88:11:D6:A7:95:2A:DD:AE:0E:7E:B7:3B:74:BF:E5:0F:12:00:AF:18:F9:5F:1A:CC:A3:51:DF:DB:7F:14:B5:B4
Signature algorithm name: SHA512withRSA
Subject Public Key Algorithm: 4096-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.16.840.1.113730.1.4 Criticality=false
0000: 16 33 68 74 74 70 3A 2F   2F 63 61 2E 68 61 72 74  .3http://ca.hart
0010: 65 2D 6C 79 6E 65 2E 63   61 2F 43 41 5F 48 4C 4C  e-lyne.ca/CA_HLL
0020: 5F 52 4F 4F 54 5F 32 30   31 36 2F 63 72 6C 2D 76  _ROOT_2016/crl-v
0030: 31 2E 63 72 6C                                     1.crl


#2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: caIssuers
   accessLocation: URIName: http://ca.harte-lyne.ca/CA_HLL_ROOT_2016/ca.crt
]
]

#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 97 E4 A1 87 94 49 91 8D   DA DD 5A A6 31 8B 55 CF  .....I....Z.1.U.
0010: CA 0F 65 CB                                        ..e.
]
[L=Hamilton, DC=ca, DC=harte-lyne, C=CA, OU=Networked Data Services, O=Harte & Lyne Limited, ST=Ontario, CN=CA_HLL_ROOT_2016]
SerialNumber: [    01]
]

#4: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#5: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://ca.harte-lyne.ca/CA_HLL_ROOT_2016/crl-v2.crl]
]]

#6: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [1.3.6.1.4.1.44880.100.10.10.2.1]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 1B 68 74 74 70 3A 2F   2F 63 61 2E 68 61 72 74  ..http://ca.hart
0010: 65 2D 6C 79 6E 65 2E 63   61 2F 43 50 53           e-lyne.ca/CPS

], PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.2
  qualifier: 0000: 30 34 1A 32 4C 69 6D 69   74 65 64 20 4C 69 61 62  04.2Limited Liab
0010: 69 6C 69 74 79 2C 20 73   65 65 20 68 74 74 70 3A  ility, see http:
0020: 2F 2F 63 61 2E 68 61 72   74 65 2D 6C 79 6E 65 2E  //ca.harte-lyne.
0030: 63 61 2F 43 50 53                                  ca/CPS

]]  ]
]

#7: ObjectId: 2.5.29.18 Criticality=false
IssuerAlternativeName [
  RFC822Name: [email protected]
  URIName: http://ca.harte-lyne.ca
]

#8: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

#9: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
   SSL CA
   S/MIME CA
   Object Signing CA]

#10: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  RFC822Name: [email protected]
]

#11: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 97 E4 A1 87 94 49 91 8D   DA DD 5A A6 31 8B 55 CF  .....I....Z.1.U.
0010: CA 0F 65 CB                                        ..e.
]
]

Trust this certificate? [no]:  yes
Certificate was added to keystore
[ec2-user@ip-172-31-21-185 ~]$ 
[ec2-user@ip-172-31-21-185 ~]$ java -Djavax.net.ssl.trustStore=sep1 -Djavax.net.ssl.trustStorePassword=changeit SSLPoke webmail.harte-lyne.ca 443
Successfully connected
[ec2-user@ip-172-31-21-185 ~]$
[ec2-user@ip-172-31-21-185 ~]$ keytool -keystore sep2 -storepass changeit -importcert -file cert.pem -alias 'big bird [xyz]'
Owner: L=Hamilton, DC=ca, DC=harte-lyne, C=CA, OU=Networked Data Services, O=Harte & Lyne Limited, ST=Ontario, CN=CA_HLL_ROOT_2016
Issuer: L=Hamilton, DC=ca, DC=harte-lyne, C=CA, OU=Networked Data Services, O=Harte & Lyne Limited, ST=Ontario, CN=CA_HLL_ROOT_2016
Serial number: 1
Valid from: Tue Nov 01 00:00:00 UTC 2016 until: Fri Oct 31 23:59:59 UTC 2036
Certificate fingerprints:
         SHA1: 09:84:38:AD:7C:E7:E1:7D:78:FE:93:CD:2A:2F:3F:3E:AF:98:C2:0F
         SHA256: 88:11:D6:A7:95:2A:DD:AE:0E:7E:B7:3B:74:BF:E5:0F:12:00:AF:18:F9:5F:1A:CC:A3:51:DF:DB:7F:14:B5:B4
Signature algorithm name: SHA512withRSA
Subject Public Key Algorithm: 4096-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.16.840.1.113730.1.4 Criticality=false
0000: 16 33 68 74 74 70 3A 2F   2F 63 61 2E 68 61 72 74  .3http://ca.hart
0010: 65 2D 6C 79 6E 65 2E 63   61 2F 43 41 5F 48 4C 4C  e-lyne.ca/CA_HLL
0020: 5F 52 4F 4F 54 5F 32 30   31 36 2F 63 72 6C 2D 76  _ROOT_2016/crl-v
0030: 31 2E 63 72 6C                                     1.crl


#2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: caIssuers
   accessLocation: URIName: http://ca.harte-lyne.ca/CA_HLL_ROOT_2016/ca.crt
]
]

#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 97 E4 A1 87 94 49 91 8D   DA DD 5A A6 31 8B 55 CF  .....I....Z.1.U.
0010: CA 0F 65 CB                                        ..e.
]
[L=Hamilton, DC=ca, DC=harte-lyne, C=CA, OU=Networked Data Services, O=Harte & Lyne Limited, ST=Ontario, CN=CA_HLL_ROOT_2016]
SerialNumber: [    01]
]

#4: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#5: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://ca.harte-lyne.ca/CA_HLL_ROOT_2016/crl-v2.crl]
]]

#6: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [1.3.6.1.4.1.44880.100.10.10.2.1]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 1B 68 74 74 70 3A 2F   2F 63 61 2E 68 61 72 74  ..http://ca.hart
0010: 65 2D 6C 79 6E 65 2E 63   61 2F 43 50 53           e-lyne.ca/CPS

], PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.2
  qualifier: 0000: 30 34 1A 32 4C 69 6D 69   74 65 64 20 4C 69 61 62  04.2Limited Liab
0010: 69 6C 69 74 79 2C 20 73   65 65 20 68 74 74 70 3A  ility, see http:
0020: 2F 2F 63 61 2E 68 61 72   74 65 2D 6C 79 6E 65 2E  //ca.harte-lyne.
0030: 63 61 2F 43 50 53                                  ca/CPS

]]  ]
]

#7: ObjectId: 2.5.29.18 Criticality=false
IssuerAlternativeName [
  RFC822Name: [email protected]
  URIName: http://ca.harte-lyne.ca
]

#8: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

#9: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
   SSL CA
   S/MIME CA
   Object Signing CA]

#10: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  RFC822Name: [email protected]
]

#11: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 97 E4 A1 87 94 49 91 8D   DA DD 5A A6 31 8B 55 CF  .....I....Z.1.U.
0010: CA 0F 65 CB                                        ..e.
]
]

Trust this certificate? [no]:  yes
Certificate was added to keystore
[ec2-user@ip-172-31-21-185 ~]$ java -Djavax.net.ssl.trustStore=sep2 -Djavax.net.ssl.trustStorePassword=changeit SSLPoke webmail.harte-lyne.ca 443
Successfully connected
[ec2-user@ip-172-31-21-185 ~]$

PS: keymanagers used on the prover side, normally the server, are different. The default keymanager doesn't use aliases, but I've seen many others that do, most notably Tomcat. In those cases it is vital that the alias match the configuration, though not the CN or any other data in the cert.