Hi: I'd appreciate some guidance. I'm running RHEL 7, which includes 0.20.7 of p11-kit, and I'm trying to import a certificate for one of my company's HTTPS servers. It needs to go into the java cacerts file so a Java application can find the certificate. On RHEL 7, the "update-ca-trust" command does:
/usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth $DEST/java/cacerts I extracted the server's certificate from Firefox's https connection (I also tried retrieving it with openssl s_client, Internet Explorer and Chrome; they all produce the same PEM file). I dropped the file in /etc/pki/ca-trust/source/anchors/ and ran the update-ca-trust command. But, the /etc/pki/ca-trust/extracted/java/cacerts file so created did not contain my certificate. If I add my certificate directly to java/cacerts with the java keytool command: keytool -import -trustcacerts -keystore /etc/pki/ca-trust/extracted/java/cacerts -file my.cert it works OK. I can access the site with Java commands. However, the next time RHEL runs update-ca-trust, it overwrites java/cacerts and I lose my certificate installation. Is there some way I can diagnose why p11-kit extract doesn't add my certificate to java/cacerts? I ran it under strace and it definitely opens and reads the PEM file. So, perhaps there's something about the certificate itself that doesn't meet some criterion of p11-kit? Thanks for your help! Allen
_______________________________________________ p11-glue mailing list p11-glue@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/p11-glue
