Verify Needed Root Certificates Exist in Java Trust Store for Datawire JavaAPI Purpose This document illustrates the steps to check and import (if necessary) the needed root CA certificates in JDK s trust store, whose proper setup allows Datawire JavaAPI to function properly in the event of Datawire servers certificate upgrade to 2048-bit in 2014. What the needed VeriSign Root CA certificates are All the following CA root certificates are needed to ensure Datawire JavaAPI working reliably: VeriSign Class 3 Public Primary CA Class 3 Public Primary Certification Authority (VeriSign Class 3 Public Primary CA) Version = 1 Country = US Organization = VeriSign, Inc. Organization Unit = Class 3 Public Primary Certification Authority Serial Number: 3c 91 31 cb 1f f6 d0 1b 0e 9a b8 d0 44 bf 12 be Valid From: Sunday, January 28, 1996 4:00:00 PM Valid to: Wednesday, August 02, 2028 3:59:59 PM Certificate SHA1 Thumbprint: a1 db 63 93 91 6f 17 e4 18 55 09 40 04 15 c7 02 40 b0 ae 6b Key Size: RSA(1024 Bits) Signature Algorithm: sha1rsa File name in Root package: Class 3 Public Primary Certification Authority VeriSign Class 3 Primary CA G5 VeriSign Class 3 Public Primary Certification Authority - G5 Version = 3 Country = US Organization = VeriSign, Inc. Organizational Unit = VeriSign Trust Network Organizational Unit = (c) 2006 VeriSign, Inc. - For authorized use only Common Name = VeriSign Class 3 Public Primary Certification Authority - G5 Serial Number: 18 da d1 9e 26 7d e8 bb 4a 21 58 cd cc 6b 3b 4a Operational Period: Tue, November 07, 2006 to Wed, July 16, 2036 Certificate SHA1 Fingerprint: 4e b6 d5 78 49 9b 1c cf 5f 58 1e ad 56 be 3d 9b 67 44 a5 e5 Key Size: RSA(2048Bits) Signature Algorithm: sha1rsa The VeriSign certificates can be downloaded from verisign.com.
To download the VeriSign Root CAs: 1. Go to http://www.verisign.com/support/roots.html and click on the link 'Download a root package for VeriSign Certificates (roots.zip file)' 2. Select 'Save File' 3. Click OK. 4. Locate the folder where.zip file was saved 5. Extract the.zip file and locate the 'Serial Numbers.txt' file This will be used to locate the correct folder for each VeriSign Root CA 6. Go to the folder where the Root CA is located What the needed Equifax Root CA certificate is EquiFax Secure Certificate Authority Version: 3 Organization: Equifax Country: US Serial Number: 35:DE:F4:CF Validity Period: Sat Aug 22, 1998 to Wed Aug 22, 2018 (GMT) Certificate Fingerprint (MD5): 67:CB:9D:C0:13:24:8A:82:9B:B2:17:1E:D1:1B:EC:D4 Certificate Fingerprint (SHA-1): D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A Key Length: 1024 This certificate could be downloaded from geotrust.com.
To download the Equifax Root CA: 1. Go to http://www.geotrust.com/resources/root-certificates/ and look for Root 1 Equifax Secure Certificate Authority (exp 8/22/2018). 2. Right Click on Download Equifax Secure Certificate Authority and Save Target As. 3. Click Save 4. Go to the folder where the certificate was saved.
Steps to Verify 1. Get the location of the trust store file (part of Datawire JavaAPI environment): Suppose <java_home> is the location of JDK home directory. Check file <java_home>/jre/lib/management/management.properties for this line: javax.net.ssl.truststore=/location/to/truststore Then /location/to/truststore is the location of the trust store file. If the above line is commented out like below: # javax.net.ssl.truststore=/location/to/truststore Then by default the trust store file is located at: <java_home>/jre/lib/security/cacerts 2. Dump all certificates in the trust store file using JDK s keytool program: Suppose the trust store file location identified in step 1. above as /location/to/truststore : $ keytool -list -keystore /location/to/truststore -v > tmp.store Note: --On Windows, the file path should use backslash ( \ ) in the file path, so it would be location\to\truststore. --The default password of the preinstalled trust store file cacerts is changeit. As a sample: This command will dump all the certificates details in the temporary file tmp.store. Open this file and search for string: (which is the serial number of the needed certificate) 3c9131cb1ff6d01b0e9ab8d044bf12be to find the root certificate 1 VeriSign Class 3 Public Primary CA ; 18dad19e267de8bb4a2158cdcc6b3b4a to find the root certificate 2 VeriSign Class 3 Primary CA G5 ; 35def4cf to find the root certificate 3 EquiFax Secure Certificate Authority. If this could be found, then compare all the other details like subject, issuer, version, valid period etc. against the details described above (in the section what the needed certificates are ). If all three matches could be found, then your store is good and there s nothing to be done. End. If any one, two or all of them could not be found, or details do not match, then go to next step (step 3) to import missing certificate(s). 3. Since importing a CA cert will change the system file, using admin privilege to run the command as below(on Windows, run a command prompt as admin), assuming the downloaded root CA certificate is in file PCA-3.pem:
[End] The above output indicates the root CA certificate has been successfully imported (Step 2 described above could be repeated to view the imported certificates). The above example imports the 1 st root certificate (mentioned in section What the needed certificates are ), which could be repeated to other root certificates that might be missing.