There are at least 3 ways of handling this problem:
You can import the certificate into the JRE's default truststore (often in $JAVA_HOME/lib/security/cacerts
). This will affect all the applications using that JRE (unless they override the default settings). You'll need to have write permissions on that cacerts
file to do this too.
You can import the certificate into a local keystore that you will configure to be Tomcat's default truststore. Typically, you could make a copy of the default cacerts
file and import your certificate into this copy, or you can create a new keystore and import only the certificates you know you need (keytool -import -keystore ...
will create the keystore file if it doesn't exist). This can be done in tomcat by setting an additional system property in catalina.sh
(or .bat
): in JAVA_OPTS
, you can add -Djavax.net.ssl.trustStore=/path/to/local/truststore.jks
for example (and other related properties).
You can make that certificate be used only by certain connections in your application (or set the default SSLContext
programmatically). For this, you'll need to alter your application so that it loads the keystore, uses it to initialise a TrustManagerFactory
, in passed into an SSLContext
. Then, how that SSLContext
can be used depends on the client library you're using. There is an example in this answer.
Either way, you can import your cert (be it a CA cert or a specific server cert) into the truststore of your choice using:
keytool -import -file cert.pem -alias "some name" -keystore truststore.jks
(If using the programming route, you can also create your keystore in memory and load the certificate file dynamically, as shown in this answer. Using keystores might be easier, it's up to you to assess the pros and cons of the deployment you want to use.)