Is it possible to access certificates stored in the Local Machine store (rather than Current User) from a Java Servlet? I've tried using the MSCAPI provider opening the "Windows-MY" and "Windows-ROOT" stores, but neither contain certificates from the Local Machine store.

  • 381,978
  • 94
  • 789
  • 754
Petey B
  • 10,781
  • 22
  • 73
  • 101
  • Have you achieved what you wanted here? I am having the same problem, with no luck at all. – skw Dec 19 '11 at 23:12
  • @skw No, I was never able to retrieve local machine certs from pure Java, I ended up using Entrust's provider (which does a JNI call) to retrieve the certs I needed. – Petey B Dec 20 '11 at 14:56
  • Thank you for your reply. Too bad it's not Java native. I think it might be some security issue. – skw Dec 20 '11 at 19:13

4 Answers4


I used used JNA to access the certificates using the same windows dialog that pops up if you were to use any windows specific program - this may not answer your question but certainly lets you provide an option to access anything in a 'windows way':

    NativeLibrary cryptUI = NativeLibrary.getInstance("Cryptui");
    NativeLibrary crypt32 = NativeLibrary.getInstance("Crypt32");

    Function functionCertOpenSystemStore = crypt32.getFunction("CertOpenSystemStoreA");
    Object[] argsCertOpenSystemStore = new Object[] { 0, "CA"};
    HANDLE h = (HANDLE) functionCertOpenSystemStore.invoke(HANDLE.class, argsCertOpenSystemStore);

    Function functionCryptUIDlgSelectCertificateFromStore = cryptUI.getFunction("CryptUIDlgSelectCertificateFromStore");
    Object[] argsCryptUIDlgSelectCertificateFromStore = new Object[] { h, 0, 0, 0, 16, 0, 0};
    Pointer ptrCertContext = (Pointer) functionCryptUIDlgSelectCertificateFromStore.invoke(Pointer.class, argsCryptUIDlgSelectCertificateFromStore);

    Function functionCertGetNameString = crypt32.getFunction("CertGetNameStringW");
    char[] ptrName = new char[128];
    Object[] argsCertGetNameString = new Object[] { ptrCertContext, 5, 0, 0, ptrName, 128};
    System.out.println("Selected certificate is " + new String(ptrName));

    Function functionCertFreeCertificateContext = crypt32.getFunction("CertFreeCertificateContext");
    Object[] argsCertFreeCertificateContext = new Object[] { ptrCertContext};

    Function functionCertCloseStore = crypt32.getFunction("CertCloseStore");
    Object[] argsCertCloseStore = new Object[] { h, 0};

It is just a piece of code that works; feel free to apply your coding practices.

Venkatesh Laguduva
  • 10,979
  • 5
  • 26
  • 34

The default JDK implementation is fairly limited. AFAIK it will only bring back RSA keys and certificates. It is not a general purpose adapter to MSCAPI. I have been able to get some certs back using the mechanism you describe.

  • 4,271
  • 4
  • 29
  • 52
  • All I want is the RSA key pair. You are right I can get the key pair from the Current User's Personal (Windows-MY) store, but instead I would like to get them from the Local Machine's Personal certificate store. I havn't found a way to specify which certificate store (Current User/Local Machine) to read from. It seems to only want to read from Current User. – Petey B Aug 31 '10 at 21:00
  • I see what you want to do, but: Why should it let you read from the stores of other users? Does the local machine have key pairs in its store? -- if so your java process would need the permission to act as part of the OS. – Justin Aug 31 '10 at 22:16
  • Yes the local machine has a key pair in its store; any idea how i could give my java process permission to act as part of the OS? – Petey B Sep 01 '10 at 13:34
  • This is one of the difficult things about java, since java.exe is the binary you have to give it the permission (not the class file) if I remember correctly your process must actively claim the permission through native code. I should also mention that I am guessing about the OS permission you will need. Can you first put a trusted cert (not a key pair) into the Windows-ROOT and retrieve it? – Justin Sep 01 '10 at 15:35
  • 1
    Yes I can retreive certificates from the Local Machine Windows-ROOT store fine, the Local Machine Windows-MY store however appears empty to Java. – Petey B Sep 02 '10 at 17:55

As others have mentioned, the MSCAPI provider does not provide access to certificates and keys stored in the "Local Computer" certificate store. The reason for this is that MSCAPI uses the Microsoft CryptoAPI function CertOpenSystemStore to access the certificates and keys. The documentation for this function explicitly states that "Only current user certificates are accessible using this method, not the local machine store". You can follow this OpenJDK bug if you want to track progress on this issue.

If you want a proper solution to the problem you can purchase the commercial Pheox JCAPI library.

If you can live with a hack, I have created a simple utility that intercepts the JDKs call to CertOpenSystemStore and returns a handle to a virtual certificate store allowing read-only access to the certificates and keys in both the "Current User" and "Local Machine" certificate stores. This solved my problem, but be aware of the limitations of this utility.

  • 189
  • 10

The certificates you are looking for are in the java keystore file or are passed into tomcat when starting the server


if you are trying to load them in your application, then look here for to make HTTPS requests, then the HTTPClient documentation will get you started


not sure if this helps you out, but if you can provide more details, then you might be able to get a more specific answer

public class KeyStoreLookup {
    public static void main(String args[]) {
        try {
            KeyStore ks = 
            String fname = System.getProperty("user.home") +
                                File.separator + ".keystore";
            FileInputStream fis = new FileInputStream(fname);
            ks.load(fis, null);
            if (ks.isKeyEntry(args[0])) {
                System.out.println(args[0] +
                                " is a key entry in the keystore");
                char c[] = new char[args[1].length()];
                args[1].getChars(0, c.length, c, 0);
                System.out.println("The private key for" + args[0] + 
                            " is " + ks.getKey(args[0], c));
                Certificate certs[] = ks.getCertificateChain(args[0]);
                if (certs[0] instanceof X509Certificate) {
                    X509Certificate x509 = (X509Certificate) certs[0];
                    System.out.println(args[0] + " is really " +
                if (certs[certs.length - 1] instanceof
                                     X509Certificate) {
                    X509Certificate x509 = (X509Certificate) 
                                        certs[certs.length - 1];
                    System.out.println(args[0] + " was verified by " +
            else if (ks.isCertificateEntry(args[0])) {
                System.out.println(args[0] +
                            " is a certificate entry in the keystore");
                Certificate c = ks.getCertificate(args[0]);
                if (c instanceof X509Certificate) {
                    X509Certificate x509 = (X509Certificate) c;
                    System.out.println(args[0] + " is really " +
                    System.out.println(args[0] + " was verified by " +
            else {
                System.out.println(args[0] +
                        " is unknown to this keystore");
        } catch (Exception e) {
Aaron Saunders
  • 31,625
  • 5
  • 54
  • 74
  • 1
    I'm not looking to do SSL. I would like to access machine certificates and pull out their key pair to encrypt/decrypt certain settings in configuration files. I have done this with certificates in the Current User's Personal Certificate store, but I would like to pull (SSL) certificates out of the Local Machine store for the crypto instead. – Petey B Aug 31 '10 at 20:58