At work we run the WebCT Vista course management system by Blackboard.
Recently I was requested to figure out how to import the security certificate from the command line so that we could add this to the login script used for our campus computers. The main reason behind this was to eliminate the need for the user to have to manually agree to the security certificate when browsing to the CMS.
Normally when you want to create a Java keystore, you would use the keytool program located in $JAVA_HOME/bin. If you run this program to import a certificate without specifying a location for the keystore it tries to create one named .keystore in the user profile home directory.
However, when the JRE actually imports a certificate it doesn’t put it in this file. After some investigation, it turns out that the JRE imports certificates into a file named trusted.certs which is located in the following directory
C:\Documents and Settings\USERNAME\Application Data\Sun\Java\Deployment\security\
In order to import a certificate into a keystore you need to vital pieces of information:
- the keystore name
- the keystore password
The problem here is that this keystore is being automatically created by the JRE. It turns out that this keystore has a password that is an empty string. What this means is that when you import a certificate you have to specify the password by using the storepass parameter with a value “”.
For example if the certificate that you want to import has a name and path of
c:\Blackboard.cer
the command to import the certificate for the user jdoe would be
keytool.exe -import -noprompt -keystore C:\Documents and Settings\jdoe\Application Data\Sun\Java\Deployment\security\trusted.certs -storepass "" -file c:\Blackboard.cer
Update 2008-04-09:
I have also found how to do this on Mac OS X. According to the developer documents, the JVM on Mac OS X uses the user’s default keychain to store this type of certificate instead of using a file-based keystore like the other OS.
In order to store the certificate in the user’s login keychain you can import it via the command line tool certtool that is installed on the OS.
The command to import this certificate from the command line is
certtool i path/to/cert/file k=~/Library/Keychains/login.keychain
If you want to have this happen at login for each user who might login, then you could implement this via a login hook. For more on this, take a gander at the article 301446 in the Apple knowledgebase.