cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Exporting the AD root CA certificate and importing it into the Java Keystore

Exporting the AD root CA certificate and importing it into the Java Keystore

The Active Directory root certificate can be retrieved in multiple ways. One of them is to export using the certificate management tool included with Windows.

  • Go to Start > Run... and open C:\Windows\System32\certmgr.msc.
  • In the newly opened window browse to Trusted Root Certification Authorities → Certificates.
  • Select your (valid) AD domain's root certificate from the list. Double click the certificate to open. Go to the tab "Details".
  • Click "Copy to File…".
  • In the wizard, click "Next".
  • In the next step choose "Base-64 encoded X.509 (.CER)" and click Next again.
  • Choose a location and name for the file to be saved, e.g. C:\Temp\ExampleCA.cer.
  • Click Next again and finally click Finish.

 

A file is written, which contents should look like:

-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJAJC1HiIAZAiIMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQwHhcNMTExMjMxMDg1OTQ0WhcNMTIxMjMwMDg1OTQ0WjBF
... MORE LINES LIKE THAT ....
JjyzfN746vaInA1KxYEeI1Rx5KXY8zIdj6a7hhphpj2E04LDdw7r495dv3UgEgpR
C3Fayua4DRHyZOLmlvQ6tIChY0ClXXuefbmVSDeUHwc8YufRAERp2GfQnL2JlPUL
B7xxt8BVc69rLeHV15A0qyx77CLSj3tCx2IUXVqRs5mlSbq094NBxsauYcm0A6Jq
vA==
-----END CERTIFICATE-----

This certificate needs to be imported into you Java JDK keystore. Check your Java settings, which JDK instance to use, if you have multiple versions installed. Let's assume for this example it is installed in C:\Program Files\Java\jdk1.6.0_43\.

 

  • Go to Start > Run... and open cmd (command window) as an Administrator
  • Go to C:\Program Files\Java\jdk1.6.0_43\jre\lib\security\ (type "cd C:\Program Files\Java\jdk1.6.0_43\jre\lib\security").
  • Execute the following command. Correct the paths and file names where necessary and replace the description (alias "Example CA 2017") used with something suitable.
keytool -import -keystore cacerts -alias "Example CA 2017" -file C:\Temp\ExampleCA.cer -storepass changeit

  • When asked whether you trust the certificate, verify the certificate name and expiration, and if OK, type "yes" and hit enter.
  • If necessary copy the file cacerts to other Java installations or systems.
Version history
Revision #:
2 of 2
Last update:
‎Jul 14, 2023 08:50 PM
Updated by:
 
Contributors