Add new certificates to trust store


This document provides examples on how to add certificates to the trust store.
Examples are provided for PAS and Apache.
For other solutions, please consult the documentation for that specific service.

Make sure to have a backup of the current trust store file, before adding certificates.


  • PhenixID Server installed

PhenixID Server

PAS is, by default, using the cacerts file in the jre, shipped with the product, located in: <PASinstallationdir>/Server/jre/lib/security
Keytool can be used to add certificates to the store, like this example:
<PASinstallationdir>/Server/jre/bin/keytool -importcert -file <pathtocertificatefile>/certificate.cer -keystore <PASinstallationdir>/Server/jre/lib/security/cacerts -alias myaliasforthecertificate

To verify that certificate has been added, use the following command:
keytool -list -keystore <pathto>/cacerts

If "CertificateValidatorValve" is used, verify the settings for parameters "trust_store_path" and trust_store_ref. Certificates should be added to the file specified in the path.


If Apache is used, locate the configuration/start file used for the installation.

On Linux it should be something according to this example:

And on Windows:

Locate the line:
Add the certificate(s) to the file set in “SSLCACertificateFile”.
For example, /etc/apache2/ssl.crt/ca-bundle.crt
This can be done using a text editor, openssl command, certutil or other tools of choice.