Important warning. The .key file belongs only on the server side. If the certificate shows on some 'gateway' address, this would mean the *.key file belongs only on the 'gateway'. Don't play with it. Don't copy it around randomly. If someone is able to read it, your certificate becomes compromised - it cannot provide trusted authentication anymore.
I understand you want to ensure *.cer file is trusted on the client side. It is irrelevant here that your client is actually the same java process that also ultimately serves the content. Just proceed as with any java app that tries to connect to untrusted self-signed certificate:
- Locate which JAVA_HOME directory you use to run tomcat (could be occasionally customized inside catalina.bat or setenv.bat).
Trust your x.cer file:
%JAVA_HOME%\bin\keytool -importcert -keystore %JAVA_HOME%\jre\lib\security\cacerts -file x.cer -alias my-self-signed-cert1
The default keystore password is changeme
or changeit
, I keep mixing it up, sigh.
- It should work immediately without tomcat restart.
- Document what you did, because any Java update will likely overwrite
cacerts
.
- If it doesn't work, it could mean that your java application is ignoring the default cacerts keystore and it is using some custom file. This would leave you on the mercy of the applications' documentation regarding a trust store.