Include additional certificates in JRE keystore [message #1839676] |
Thu, 25 March 2021 14:21  |
Eclipse User |
|
|
|
The JREs provided by JustJ come with the usual keystore located at \jre\lib\security\cacerts.
I need to include some additional company-specific certificates so that my product can access certain p2 update sites via HTTPS.
I know how to add certificates to a keystore using the keytool application so that I can prepare an enhanced cacerts file. Now I wonder how to inject it into a JRE which I am consuming from a JustJ update site.
A feature patch might help but do I really want to prepare such a patch each time I move to a newer JRE?
Is there a better way to make sure the additional certificates will be present in my final product's cacerts file?
And what if these certificates expire and I want to replace them (maybe by providing an update using p2)?
Any idea or suggestion is appreciated!
|
|
|
|
Re: Include additional certificates in JRE keystore [message #1839942 is a reply to message #1839679] |
Thu, 01 April 2021 15:12  |
Eclipse User |
|
|
|
Thanks for your your valuable hints, Ed.
For those who are interested which solution I've selected:
Using the concept of root files (https://help.eclipse.org/2021-03/index.jsp?topic=/org.eclipse.pde.doc.user/tasks/pde_rootfiles.htm) I put our custom cacerts file into one of our features like this: /rootfiles/plugins/org.eclipse.justj.openjdk.hotspot.jre.full.win32.x86_64_15.0.2.v20210201-0955/jre/lib/security/cacerts
Unfortunately I had to hard code some version information in a folder name. And in build.properties I added a line: root=rootfiles
Effectively, the orignial cacerts file of that JRE is now replaced by our custom one in the final product.
(My attempt to out a VM argument -Djavax.net.ssl.trustStore=[...] in our product definition finally failed when I found out that the path I had provided with this property is always interpreted relative to the working directory from where the IDE is started. In our case this is most of the time not the root folder of our Eclipse product.)
|
|
|
Powered by
FUDForum. Page generated in 0.03214 seconds