Automatic import of trusted certificates to the Java truststore
This document describes how to automatically update the truststore used by JAVA with your own trusts placed in a local folder.
Please note that this feature was introduced in PAS 4.4.
System requirements
- PAS version 4.4 or later
Configuration
- Create a folder reachable for the PAS server where you will place your truststores, such as "PAS-INSTALLATION"\overlay\truststores
- Place your custom truststores in the newly created folder (PEM or plain b64, filename will be used as alias)
- Configure the java option -Dcom.phenixidentity.cacerts.dir and point it to your newly created directory, ex:
-Dcom.phenixidentity.cacerts.dir=overlay\truststores
- Restart PAS service
This instruction will give you an example on how to add your java option to the PAS server.
Note: Destination truststore must be writable for the PAS-application.
Verify
At server startup, lines similar to these will be written to the server.log file
2022-05-25 16:11:06,114 [NodeVerticle] INFO: Importing CA certs from: C:\Program Files\PhenixID\Server\overlay\truststores
2022-05-25 16:11:06,115 [NodeVerticle] INFO: Importing CA certs to: c:\program files\phenixid\server\jre\lib\security\cacerts
Click to copy
You will also note that the cacerts file is modified at each restart.