How to view and edit cacerts file?

Question

Using RAD 8.5 with WAS 8.5 runtime, I am getting an exception on my console:

The keystore located at "C:\IBM\Websphere85\jdk\jre\lib\security\cacerts" failed to load due to the following error: DerInputStream.getLength(): lengthTag=109, too big..

After searching for the error I got this link which suggests to edit the file and remove blank lines/extra characters.

How do I edit the file? I am on windows environment and the file seems to be base64 encoded.

According to that same link, it's not a problem with the Base64 encoding itself but rather with extra blank lines or visible data after the end. "Base64" contains just plain ASCII text ([per its definition](http://en.wikipedia.org/wiki/Base64)) and so you can use Notepad or any other plain text editor. — Jongware, Nov 30 '13 at 01:08
@Jongware: Notepad did not seem to be a good editor for doing that. I had to open up it in Wordpad but still I am not able to read it due to encoding and so there is no way to verify if I have made good edits. Well, it did not work though. — Prince, Dec 05 '13 at 04:32
Unfortunately, you are not helping us to help you ... 1. Actually your question is OT for SO *unless* this is a specific problem with code *you* wrote; 2. My suggestion is based on your own assertion the file you are talking about is the same type as in your link; 3. Editing a plain Base64 file *ought* to be possible using Notepad, and if this wasn't possible, then it's not a file of the *type* you think it is, or it is not the same *error* you think it is. — Jongware, Dec 05 '13 at 14:33
@Jongware: Please let me elaborate. In the Notepad, I do not see any blank lines (whole file appears as a big block of text) whereas in the Wordpad I am able to see blank lines. But removing blank lines using Wordpad has not helped me so far. And the text I see in Wordpad is partly plain text(ASCII) and partly encoded[1]. I am interested in knowing if there is a specific editor that can show me the file "All in Plain Text" format (like it is displayed using the keytool utility) so I know that I am not messing up with the file or changing its contents by mistake. — Prince, Dec 05 '13 at 17:10
[1] Regarding the encoding, as the link says to remove Base64-encoded text certificates; I assumed that might be the case. As far as I know, the certificates are usually DER-encoded. Since cacerts is without any extension I am not sure about its encoding. This is all I know. Any help is appreciated! — Prince, Dec 05 '13 at 17:14

score 28 · Answer 1 · answered Oct 18 '19 at 16:37

As far as the original question, you can use the keytool command to view and edit a keystore like cacerts.

To view all keys in the keystore, use keytool -list:

$ keytool -list -keystore ${keystore.file}

where ${keystore.file} is the path to the cacerts file, in your case C:\IBM\Websphere85\jdk\jre\lib\security\cacerts.

To remove a specific key, use keytool -delete:

$ keytool -delete -alias ${cert.alias} -keystore ${keystore.file}

where ${cert.alias} is an existing key alias from the above -list command. *

To add a new key that was already generated elsewhere, use keytool -importcert:

$ keytool -importcert -alias ${cert.alias} -keystore ${keystore.file} -file ${cer.file}

where ${cer.file} is the path to an existing certificate or certificate chain.

Note that with each of these commands, you will be prompted for the keystore password which you can instead specify with the -storepass option. For example:

$ keytool -delete -noprompt -alias ${cert.alias} -keystore ${keystore.file} -storepass ${keystore.pass}

* The ${cert.alias} is the left-most value in the lines outputted from keytool -list.

For example, if this is the ouput from keytool -list:

$ keytool -list -keystore ./cacerts
Enter keystore password:  

Keystore type: jks
Keystore provider: SUN

Your keystore contains 2 entries

verisignclass1ca, Jun 29, 1998, trustedCertEntry,
    Certificate fingerprint (MD5): 51:86:E8:1F:BC:B1:C3:71:B5:18:10:DB:5F:DC:F6:20
verisignserverca, Jun 29, 1998, trustedCertEntry,
    Certificate fingerprint (MD5): 74:7B:82:03:43:F0:00:9E:6B:B3:EC:47:BF:85:A5:93

then verisignclass1ca and verisignserverca are aliases you can specify to delete.

Thank you so much for this thorough answer. – james.garriss Jan 06 '21 at 12:14 — james.garriss, Jan 06 '21 at 12:14

score 4 · Accepted Answer · edited May 23 '17 at 11:45

Here's a way to actually solve this problem without the need to view or edit the file.

The default keyStore type is JKS and the WSKeyStore class assumes it to be a PKCS12 file which throws the above error. So we need to convert the cacerts file to .p12 format.

Using the keytool utility from command line I executed:

C:\IBM\WebSphere85\AppServer\java\bin>keytool -importkeystore ^
 -srckeystore C:\IBM\WebSphere85\AppServer\java\jre\lib\security\cacerts ^
 -destkeystore C:\IBM\WebSphere85\AppServer\java\jre\lib\security\cacerts.p12 ^
 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass changeit -deststorepass changeit -noprompt

which gave me a cacerts.p12 file which could be easily read by the above class.

References:

How to view and edit cacerts file?

2 Answers2

Linked