Default Trusted KeyStore File - cacerts

This section provides a tutorial example on how to view the content of the default trusted KeyStore file, 'cacerts', with the KeyStore tool, 'keytool'. The password to open 'cacerts' is 'changeit'.

To do more tests, we need to learn more about the KeyStore file format and the tool to manage KeyStore files.

According Java documentation, a KeyStore file is a binary that can be used to store multiple private keys and certificates. KeyStore files are usually password protected.

The default tool is the command line tool, "keytool", provided in the JDK package. It can be used manage KeyStore files.

Now let's try to create a copy of the default trusted KeyStore file, "cacerts", and view its content. By the way, the password for "cacerts" is "changeit".

C:\herong>copy \local\jdk\jre\lib\security\cacerts cacerts_original
        1 file(s) copied.

C:\herong>\local\jdk\bin\keytool -list -keystore cacerts_original 
   -storepass changeit

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 104 entries

actalisauthenticationrootca [jdk], Apr 13, 2016, trustedCertEntry, 
addtrustclass1ca [jdk], Apr 13, 2016, trustedCertEntry, 
addtrustexternalca [jdk], Apr 13, 2016, trustedCertEntry, 
addtrustqualifiedca [jdk], Apr 13, 2016, trustedCertEntry, 
affirmtrustcommercialca [jdk], Apr 13, 2016, trustedCertEntry, 
affirmtrustnetworkingca [jdk], Apr 13, 2016, trustedCertEntry, 
affirmtrustpremiumca [jdk], Apr 13, 2016, trustedCertEntry, 
affirmtrustpremiumeccca [jdk], Apr 13, 2016, trustedCertEntry, 
aolrootca1 [jdk], Apr 13, 2016, trustedCertEntry, 
aolrootca2 [jdk], Apr 13, 2016, trustedCertEntry, 
baltimorecodesigningca [jdk], Apr 13, 2016, trustedCertEntry, 
baltimorecybertrustca [jdk], Apr 13, 2016, trustedCertEntry, 
buypassclass2ca [jdk], Apr 13, 2016, trustedCertEntry, 
buypassclass3ca [jdk], Apr 13, 2016, trustedCertEntry, 
camerfirmachambersca [jdk], Apr 13, 2016, trustedCertEntry, 
camerfirmachamberscommerceca [jdk], Apr 13, 2016, trustedCertEntry, 
camerfirmachambersignca [jdk], Apr 13, 2016, trustedCertEntry, 
certplusclass2primaryca [jdk], Apr 13, 2016, trustedCertEntry, 
certplusclass3pprimaryca [jdk], Apr 13, 2016, trustedCertEntry, 
certumca [jdk], Apr 13, 2016, trustedCertEntry, 
certumtrustednetworkca [jdk], Apr 13, 2016, trustedCertEntry, 
chunghwaepkirootca [jdk], Apr 13, 2016, trustedCertEntry, 
comodoaaaca [jdk], Apr 13, 2016, trustedCertEntry, 
comodoeccca [jdk], Apr 13, 2016, trustedCertEntry, 
comodorsaca [jdk], Apr 13, 2016, trustedCertEntry, 
deutschetelekomrootca2 [jdk], Apr 13, 2016, trustedCertEntry, 
digicertassuredidg2 [jdk], Apr 13, 2016, trustedCertEntry, 
digicertassuredidg3 [jdk], Apr 13, 2016, trustedCertEntry, 
digicertassuredidrootca [jdk], Apr 13, 2016, trustedCertEntry, 
digicertglobalrootca [jdk], Apr 13, 2016, trustedCertEntry, 
digicertglobalrootg2 [jdk], Apr 13, 2016, trustedCertEntry, 
digicertglobalrootg3 [jdk], Apr 13, 2016, trustedCertEntry, 
digicerthighassuranceevrootca [jdk], Apr 13, 2016, trustedCertEntry, 
digicerttrustedrootg4 [jdk], Apr 13, 2016, trustedCertEntry, 
dtrustclass3ca2 [jdk], May 10, 2016, trustedCertEntry, 
dtrustclass3ca2ev [jdk], May 10, 2016, trustedCertEntry, 
entrust2048ca [jdk], Apr 13, 2016, trustedCertEntry, 
entrustevca [jdk], Apr 13, 2016, trustedCertEntry, 
entrustrootcaec1 [jdk], Apr 13, 2016, trustedCertEntry, 
entrustrootcag2 [jdk], Apr 13, 2016, trustedCertEntry, 
equifaxsecureca [jdk], Apr 13, 2016, trustedCertEntry, 
equifaxsecureebusinessca1 [jdk], Apr 13, 2016, trustedCertEntry, 
equifaxsecureglobalebusinessca1 [jdk], Apr 13, 2016, trustedCertEntry, 
geotrustglobalca [jdk], Apr 13, 2016, trustedCertEntry, 
geotrustprimaryca [jdk], Apr 13, 2016, trustedCertEntry, 
geotrustprimarycag2 [jdk], Apr 13, 2016, trustedCertEntry, 
geotrustprimarycag3 [jdk], Apr 13, 2016, trustedCertEntry, 
geotrustuniversalca [jdk], Apr 13, 2016, trustedCertEntry, 
globalsignca [jdk], Apr 13, 2016, trustedCertEntry, 
globalsigneccrootcar4 [jdk], Apr 13, 2016, trustedCertEntry, 
globalsigneccrootcar5 [jdk], Apr 13, 2016, trustedCertEntry, 
globalsignr2ca [jdk], Apr 13, 2016, trustedCertEntry, 
globalsignr3ca [jdk], Apr 13, 2016, trustedCertEntry, 
godaddyclass2ca [jdk], Apr 13, 2016, trustedCertEntry, 
godaddyrootg2ca [jdk], Apr 13, 2016, trustedCertEntry, 
gtecybertrustglobalca [jdk], Apr 13, 2016, trustedCertEntry, 
identrustcommercial [jdk], May 10, 2016, trustedCertEntry, 
identrustdstx3 [jdk], May 10, 2016, trustedCertEntry, 
identrustpublicca [jdk], May 10, 2016, trustedCertEntry, 
keynectisrootca [jdk], Apr 13, 2016, trustedCertEntry, 
letsencryptisrgx1 [jdk], May 17, 2017, trustedCertEntry, 
luxtrustglobalrootca [jdk], Apr 13, 2016, trustedCertEntry, 
quovadisrootca [jdk], Apr 13, 2016, trustedCertEntry, 
quovadisrootca1g3 [jdk], Apr 13, 2016, trustedCertEntry, 
quovadisrootca2 [jdk], Apr 13, 2016, trustedCertEntry, 
quovadisrootca2g3 [jdk], Apr 13, 2016, trustedCertEntry, 
quovadisrootca3 [jdk], Apr 13, 2016, trustedCertEntry, 
quovadisrootca3g3 [jdk], Apr 13, 2016, trustedCertEntry, 
secomevrootca1 [jdk], Apr 13, 2016, trustedCertEntry, 
secomscrootca1 [jdk], Apr 13, 2016, trustedCertEntry, 
secomscrootca2 [jdk], Apr 13, 2016, trustedCertEntry, 
securetrustca [jdk], Apr 13, 2016, trustedCertEntry, 
soneraclass2ca [jdk], Apr 13, 2016, trustedCertEntry, 
starfieldclass2ca [jdk], Apr 13, 2016, trustedCertEntry, 
starfieldrootg2ca [jdk], Apr 13, 2016, trustedCertEntry, 
starfieldservicesrootg2ca [jdk], Apr 13, 2016, trustedCertEntry, 
swisscomrootca2 [jdk], Apr 13, 2016, trustedCertEntry, 
swisssigngoldg2ca [jdk], Apr 13, 2016, trustedCertEntry, 
swisssignplatinumg2ca [jdk], Apr 13, 2016, trustedCertEntry, 
swisssignsilverg2ca [jdk], Apr 13, 2016, trustedCertEntry, 
thawtepremiumserverca [jdk], Apr 13, 2016, trustedCertEntry, 
thawteprimaryrootca [jdk], Apr 13, 2016, trustedCertEntry, 
thawteprimaryrootcag2 [jdk], Apr 13, 2016, trustedCertEntry, 
thawteprimaryrootcag3 [jdk], Apr 13, 2016, trustedCertEntry, 
ttelesecglobalrootclass2ca [jdk], Apr 13, 2016, trustedCertEntry, 
ttelesecglobalrootclass3ca [jdk], Apr 13, 2016, trustedCertEntry, 
usertrusteccca [jdk], Apr 13, 2016, trustedCertEntry, 
usertrustrsaca [jdk], Apr 13, 2016, trustedCertEntry, 
utnuserfirstclientauthemailca [jdk], Apr 13, 2016, trustedCertEntry, 
utnuserfirsthardwareca [jdk], Apr 13, 2016, trustedCertEntry, 
utnuserfirstobjectca [jdk], Apr 13, 2016, trustedCertEntry, 
verisignclass1ca [jdk], Apr 13, 2016, trustedCertEntry, 
verisignclass1g2ca [jdk], Apr 13, 2016, trustedCertEntry, 
verisignclass1g3ca [jdk], Apr 13, 2016, trustedCertEntry, 
verisignclass2g2ca [jdk], Apr 13, 2016, trustedCertEntry, 
verisignclass2g3ca [jdk], Apr 13, 2016, trustedCertEntry, 
verisignclass3ca [jdk], Apr 13, 2016, trustedCertEntry, 
verisignclass3g2ca [jdk], Apr 13, 2016, trustedCertEntry, 
verisignclass3g3ca [jdk], Apr 13, 2016, trustedCertEntry, 
verisignclass3g4ca [jdk], Apr 13, 2016, trustedCertEntry, 
verisignclass3g5ca [jdk], Apr 13, 2016, trustedCertEntry, 
verisigntsaca [jdk], Apr 13, 2016, trustedCertEntry, 
verisignuniversalrootca [jdk], Apr 13, 2016, trustedCertEntry, 
xrampglobalca [jdk], Apr 13, 2016, trustedCertEntry, 

Conclusion, JDK 10 provides a default trusted KeyStore file, cacerts, with 104 root CA certificates included. In a KeyStore file, each certificate is assigned with an alias name. The "keystool -list" commands returns a list of alias names as shown above.

Last update: 2018.

Table of Contents

 About This Book

 Introduction of PKI (Public Key Infrastructure)

 Introduction of HTTPS (Hypertext Transfer Protocol Secure)

 Using HTTPS with Google Chrome

 Using HTTPS with Mozilla Firefox

 HTTPS with IE (Internet Explorer)

 Perl Scripts Communicating with HTTPS Servers

 PHP Scripts Communicating with HTTPS Servers

Java Programs Communicating with HTTPS Servers

 Java Secure Socket Extension (JSSE)

 Using openStream() Method in java.net.URL Class

 javax.net.ssl.trustStore System Property

Default Trusted KeyStore File - cacerts

 PKIX Path Building Failed - No CA Certificate

 Using openConnection() Method in java.net.URL Class

 Windows Certificate Stores and Console

 .NET Programs Communicating with HTTPS Servers

 CAcert.org - Root CA Offering Free Certificates

 PKI CA Administration - Issuing Certificates

 Comodo Free Personal Certificate

 Digital Signature - Microsoft Word

 Digital Signature - OpenOffice.org 3

 S/MIME and Email Security

 PKI (Public Key Infrastructure) Terminology

 Outdated Tutorials

 References

 Full Version in PDF/EPUB