Migrating a certificate keystore to another JVM

2019-05-31 12:30发布

问题:

I am working on a installer which needs a JRE and creates certificates as well. I am working on the next version of installer which bundles a new JRE. I need to move all the certificates that are imported in cacerts keystore of the old JRE to a new JRE. Will the existing certificates in cacerts be valid if I copy the "cacerts" file under old jre/lib/security/ directory to the new JRE, I will be installing.

I looked at question: "Is it possible to import all contents of cacerts into a jssecacerts file?" to import certificates into my keystore. Does this mean I need to backup the existing jre/lib/security/cacerts and import it to new JRE if the keystore migration by copying cacerts will not work?

回答1:

You don't want to do this. You don't want to disturb the certificates that are already in the new trustStore, and you don't want to copy anything from the original contents of the old trustStore that isn't in the default contents of the new trustStore. You want to import all the certificates that you have added to the old default trustStore to the new default trustStore. So keep track of them, in a separate place, and just repeat the original import process on the new trustStore.