How to view and edit cacerts file?

Here's a way to actually solve this problem without the need to view or edit the file.

The default keyStore type is JKS and the WSKeyStore class assumes it to be a PKCS12 file which throws the above error. So we need to convert the cacerts file to .p12 format.

Using the keytool utility from command line I executed:

C:\IBM\WebSphere85\AppServer\java\bin>keytool -importkeystore ^
 -srckeystore C:\IBM\WebSphere85\AppServer\java\jre\lib\security\cacerts ^
 -destkeystore C:\IBM\WebSphere85\AppServer\java\jre\lib\security\cacerts.p12 ^
 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass changeit -deststorepass changeit -noprompt

which gave me a cacerts.p12 file which could be easily read by the above class.

References:

  • IBM Error
  • Stackoverflow: convert .jks to .p12

As far as the original question, you can use the keytool command to view and edit a keystore like cacerts.

To view all keys in the keystore, use keytool -list:

$ keytool -list -keystore ${keystore.file}

where ${keystore.file} is the path to the cacerts file, in your case C:\IBM\Websphere85\jdk\jre\lib\security\cacerts.

To remove a specific key, use keytool -delete:

$ keytool -delete -alias ${cert.alias} -keystore ${keystore.file}

where ${cert.alias} is an existing key alias from the above -list command. *

To add a new key that was already generated elsewhere, use keytool -importcert:

$ keytool -importcert -alias ${cert.alias} -keystore ${keystore.file} -file ${cer.file} 

where ${cer.file} is the path to an existing certificate or certificate chain.

Note that with each of these commands, you will be prompted for the keystore password which you can instead specify with the -storepass option. For example:

$ keytool -delete -noprompt -alias ${cert.alias} -keystore ${keystore.file} -storepass ${keystore.pass}

* The ${cert.alias} is the left-most value in the lines outputted from keytool -list.

For example, if this is the ouput from keytool -list:

$ keytool -list -keystore ./cacerts
Enter keystore password:  

Keystore type: jks
Keystore provider: SUN

Your keystore contains 2 entries

verisignclass1ca, Jun 29, 1998, trustedCertEntry,
    Certificate fingerprint (MD5): 51:86:E8:1F:BC:B1:C3:71:B5:18:10:DB:5F:DC:F6:20
verisignserverca, Jun 29, 1998, trustedCertEntry,
    Certificate fingerprint (MD5): 74:7B:82:03:43:F0:00:9E:6B:B3:EC:47:BF:85:A5:93

then verisignclass1ca and verisignserverca are aliases you can specify to delete.