Latest Release‎ > ‎Developer HowTos‎ > ‎

How to add a CA to the truststore

The GridShib-CA GridShibCA.jar Java Web Start client comes with a bundle of CAs (specifically the IGTF distribution) that it uses to verify the https certificate of the Apache instance in which the GridShib-CA server is running. If the certificate of that Apache instance is not in this bundle, the user will get unfriendly errors. This document describes the process of adding certificates to that jar without having to rebuild all the java code.

Note that an alternative, you can build the GridShib-CA from CVS. If doing so, put any new certificates to be trusted in java/GridShibCAClient/trusted-https-certs/ and then rebuild the truststore ('make truststore') and jar ('make jar').

WARNING: A number of java applications echo passwords to the screen as they are typed, so be aware of this as you proceed and be wary of doing this process in a public place.


For this process, you will need:
  • A java keystore (in the default ~/.keystore location)
  • The following java applications: keytool, jar, jarsigner

Change to GridShib CA distribution directory

All of these commands assume you are running in the top-level directory created by GridShibCA tarball (typically "gridshib-ca-2.0.0/" or something similar).

Add your CA certificate to trustStore

Now add your CA certificate to the truststore that comes with the GridShib CA distribution (should be in java/GridShibCAClient/resources/trustStore). These directions assume your CA certificate is in a PEM formatted file called "myca-cert.0". The storepass argument is not used for anything, but has to be supplied to keytool, so a dummy value ("abcef") is used.

% keytool -import -keystore java/GridShibCAClient/resources/trustStore -noprompt -alias "MyCA" -storepass abcdef -file myca-cert.0
Certificate was added to keystore

You can repeat this step as needed to add multiple CA certificates (in case you want to use the same jar with multiple web servers), you just need to use a unique argument to -alias for each CA certificate.

Update GridShibCA jar

First, locate the jar file to which you need to add the certificate. You can do that by looking for the definition of JAR_PATH in the Makefile, e.g.:

% grep ^JAR_PATH Makefile
JAR_PATH = java/GridShibCAClient/dist/GridShibCA-2.0.0.jar

Now update the GridShibCA jar file with the updated trust store.

Note: When you do this, you will break the signature on the jar (which we address in the subsequent step).

Note: The version number of the GridShib CA distribution is embedded in the jar filename, you will need to adjust it accordingly in the directions below.

% mv java/GridShibCAClient/dist/GridShibCA-2.0.0.jar java/GridShibCAClient/dist/GridShibCA-2.0.0.jar.modified
% jar uf java/GridShibCAClient/dist/GridShibCA-2.0.0.jar.modified java/GridShibCAClient/resources/trustStore

Sign new jar file

Now resign the jar with your keystore. Use the password you created when you established the keystore (the "Export Password").

Note: This assumes your keystore is in the default location (~/.keystore), if not add a "-keystore /path/to/keystore" argument.

Note: For the subsequent install to work, the signed jar (first filename argument) must be the original location of the GridShibCA jarfile (i.e. the value of JAR_PATH in the Makefile).

% jarsigner -storetype pkcs12 -signedjar java/GridShibCAClient/dist/GridShibCA-2.0.0.jar java/GridShibCAClient/dist/GridShibCA-2.0.0.jar.modified  default
Enter Passphrase for keystore:

Install new jar file

Now install your new jarfile. You probably need to be root to have appropriate permissions.

% sudo make install