Question posted in 
I manually added some new certificates to /etc/pki/ca-trust/extracted/java/cacerts and it makes Java trust these certificates as Java is configured to use this certificate location. However, from what I’m reading to do it properly and and make sure this change survives future cert system updates it should be done so:
- add to
/etc/pki/ca-trust/source/anchors - run
update-trust-ca
However, this doesn’t work, i.e. certificates from source anchors are not transferred to Java cacerts.
A proposed solution discussed here https://access.redhat.com/discussions/3018271 is to first run “trust anchor /etc/pki/ca-trust/source/anchors/*.cer” but then I’m getting “p11-kit: couldn’t create object: The field is read-only”.
How can this error be fixed? How to proceed with it?
System:
cat /etc/redhat-release
CentOS Linux release 7.7.1908 (Core)
Java:
java -version
openjdk version "1.8.0_242"
OpenJDK Runtime Environment (build 1.8.0_242-b08)
OpenJDK 64-Bit Server VM (build 25.242-b08, mixed mode)
2
Answers
Are you importing the CA root or an Intermediate? I faced this issue because I was trying to add a root CA, when I really needed to add the intermediate CA for my wildcard cert.
I am struggling with the same problem.
When I add option -v to the update-ca-trust for the last line I get:
With
trust anchor cert.pemI have the same situation.trust anchor cert.pem. The I get the file: /etc/pki/ca-trust/source/domain(from CN).p11-kit. I am modifying this file according to this https://access.redhat.com/discussions/3018271. I run again update-ca-trust.After this I can found my certificate also in /etc/pki/ca-trust/extracted/java/cacerts.
For the experiment I’ve uncommented the line:
from update-ca-trust. When you run the command
trust anchor cert.pemthen commandupdate-ca-trustis invoked at the end.I don’t know why I cannot keep those files at /etc/pki/ca-trust/source/anchors, why update-ca-trust ignore certificate category: other-entry.