Importing a Certificate into a Java Keystore

To manipulate a trust store from the command line, use the following procedures.

Trusting a specific host

This is used when you want the Hub CLI to trust a specific Hub Server. Start with a new certificate; always copy cacerts unless you have another base trust store. A common mistake is to create a trust store that only trusts a single self-signed certificate which causes other problems.

$ cp "$JAVA_HOME/lib/security/cacerts" "$JAVA_HOME/lib/security/jssecacerts"
$ keytool -printcert -rfc -sslserver hub.example.com | keytool -importcert -keystore "$JAVA_HOME/lib/security/jssecacerts" -storepass changeit -alias hubexamplecomserver -noprompt

Some servers use Server Name Indication (SNI) during handshaking to determine which certificate to return.  If so, use OpenSSL s_client to obtain the correct certificate.

$ openssl s_client -connect host.example.com:443 -servername host.example.com </dev/null 2>/dev/null | openssl x509

For more information, refer to keytool - Key and Certificate Management Tool.