The cacerts Certificates File

A certificates file named cacerts resides in the security properties directory, java.home\lib\security, where java.home is the runtime environment directory (the jre directory in the SDK or the top-level directory of the Java™ 2 Runtime Environment).

The cacerts file represents a system-wide keystore with CA certificates. System administrators can configure and manage that file using keytool, specifying jks as the keystore type. The cacerts keystore file ships with several root CA certificates. The initial password of the cacerts keystore file is changeit. System administrators should change that password and the default access permission of that file when installing the SDK.

Important: Verify your cacerts file. Since you trust the CAs in the cacerts file as entities for signing and issuing certificates to other entities, you must manage the cacerts file carefully. The cacerts file should contain only certificates of the CAs you trust. It is your responsibility to verify the trusted root CA certificates bundled in the cacerts file and make your own trust decisions. To remove an untrusted CA certificate from the cacerts file, use the delete option of the keytool command. You can find the cacerts file in the runtime environment installation directory. Contact your system administrator if you do not have permission to edit this file.

You can import the new root certificates manually into the cacerts truststore, if required, by taking the following steps:

Obtain the root certificates from the official provider.
Set the PATH environment variable to point to the IBM® JRE/SDK:
Unix
```
export PATH=[path to SDK]/bin:$PATH
```
Windows
```
set PATH=[path to SDK]\bin;%PATH%
```
Verify that IBM Java is being picked up correctly:
```
$ java -version
```
Import the root certificates into the cacerts keystore with their alias:
```
$ keytool -import -alias xxxx -file xxxx.der -keystore /path-to-sdk/jre/lib/security/cacerts -storepass "changeit"
```
Notes:
- “changeit” is the default password as provided by the VM. You can change it.
- Specify the path to the file in the import commands.
- If the certificates are available in the .pem format and if the .pem format isn't recognized by the keystore, convert it to .der by using the following command and then use the .der certificates.
```
$ openssl x509 -outform der -in [certificate-filename].pem -out [certificate-filename].der
```
You are prompted with “Trust this certificate? [no]” to confirm whether you want to continue with the import of the root certificates.
Type YES and press RETURN.

Verify that the certificates were imported with the following command:

$ keytool -list -v -keystore /path-to-sdk/jre/lib/security/cacerts -storepass "changeit"

For a sample importing of the root certificates manually, refer to Service refresh 8 fix pack 35.