![]() ![]() The certificates must be in PEM format, and theĭirectory must have been processed using the c_rehash utility supplied capath (HTTPS) Tells curl to use the specified certificate directory to verify the peer. The file may contain multiple CA certificates. cacert (HTTPS) Tells curl to use the specified certificate file to verify the peer. When using -cacert you need to specify the certificate - e.g - /tmp/ca.crt ![]() Thus your curl already by default uses the same certs you can get from the Java cacerts file, so this effort accomplishes nothing at all. ![]() In RedHat (and RH-based) Open JDK packages JRE/lib/security/cacerts is actually a symlink to /etc/pki/java/cacerts which is supplied by a different package ca-certificates.noarch - which also supplies the same certs already in PEM format in /etc/pki/tls/cert.pem so you could use that directly (in spite of the name appearing singular it actually contains, or rather links to a file containing, many certs) AND in NSS format in /etc/pki/nssdb/* which is what the RH package of curl uses by default. Instead of doing all the certs you could do a selected one, or few, that are needed for the connections you want to make and validate.īut for RedHat (as tagged) this isn't necessary. Which maybe makes this marginally on-topic for SO, since your Q isn't about programming at all. # for Java9 up use -cacerts instead of -keystore $jks Keytool -keystore $jks -storepass changeit -exportcert -alias $c -rfc You can convert the certs from JKS format to PEM format with a script, something like: jks=/usr/lib/jvm/$javaversion/jre/lib/security/cacertsįor c in $(keytool -keystore $jks -storepass changeit -list | awk -F, '/trustedCert/') do As Amit quoted, curl -cacert requires a file in PEM format - but the Java cacerts file is in JKS format, which is massively different. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |