Accepted answer

Probably you want to import a "fake" SSL cert in JRE's trustcacerts for avoiding not-a-valid-certificate issues. Isn't it?

As Jon said, you can do the job with keytool:

    -alias <provide_an_alias>
    -file <certificate_file>
    -keystore <your_path_to_jre>/lib/security/cacerts

Use "changeit" as the default password when asked (thanks Brian Clozel). Ensure to use this runtime at your server or launch configuration.


You should probably create the certificate and import it into the default keystore using keytool. I'm not sure what you're trying to do with your application, but it should then be able to use that certificate.


sudo  keytool -import  -file /Users/balaji-pt2176/Desktop/Apple\ Worldwide\ Developer\ Relations\ Certification\ Authority.cer  -keystore /Library/Java/JavaVirtualMachines/jdk1.8.0_181.jdk/Contents/Home/jre/lib/security/cacerts

in mac


If you have default Java setup and have provided Java classpath, then you must be using Java Truststore for SSL certificates.

For this you can follow below steps to import certificates into Trust store:

  1. Navigate to the JRE\bin folder of your Java setup Ideally the path should be:


  1. You will be able to find Keytool in the bin folder(which will be used to run the commands):

Path to locate Keytool

  1. Now once you are on this path, open the path in your CMD prompt:

Bin folder in CMD

  1. Now you will be able to find default Trust store of Java at below path: Path-


Path to Java default Trust store

  1. Now you can run below command to see contents of this Trust store:

    keytool -list -v -keystore "C:\Program Files\Java\jre1.8.0_221\lib\security\cacerts"

Note: If your path to Trust store has spaces in it, then you need to use double quotes for the path. Else you can provide path like below:

keytool -list -v -keystore C:\Temp\Java\jre1.8.0_221\lib\security\cacerts

Now just provide password to Trust Store(Default password is: changeit): Accessing Trust store using Keytool

  1. You can now as per your need add any certificate to the Trust store:

    JRE_HOME/bin/keytool -import -trustcacerts -alias certAlias -file certFile -keystore trustStoreFile


We need to import a certificate means we need to use :

 -file <certificate_location> 
 -keystore <jre_location\lib\security\cacerts> 
 -alias "<cert_name>"

It will ask for a password. Type the password as changeit

Type Password : changeit

finally it will ask need to add {yes/no} :

type yes.

Note: Don't give blank space in location path



  1. Open Keychain (Shortcut: press Command + Spacebar and type Keychain)
  2. Search the desired certificate file (e.g. example.cer) and right-click ➡️ Select Export... ➡️ Save it to some location e.g. Desktop.
  3. Follow the instructions in this answer to import it to your Java certificate store. The important commands are:
cd $JAVA_HOME/lib/security
sudo cp cacerts cacerts.bak
sudo keytool -importcert -alias youralias -file ~/Desktop/example.cer -keystore cacerts

The default password of the keystore is: changeit.

  1. Assuming, $JAVA_HOME/lib/security points to /Library/Java/JavaVirtualMachines/adoptopenjdk-15.jdk/Contents/Home/lib/security in your system, add the following lines in the eclipse.ini file:

Note: If you are using STS, follow this answer to locate the .ini file.

  1. Restart Eclipse.


There's a better tool for the job.

KeyStore Explorer

When you run (run as administrator in windows in order to save changes to system, sudo in linux, etc.) the application (it has installers for win/mac/linux) there's a built-in function to edit the system's cacerts file:

File -> Open Special -> Open CA Certificates

Open CA Certificates

EITHER you already have the certificate file and you can go to:

Tools -> Import Trusted Certificate

OR you need to download the certificate from the server; go to:

Examine -> Examine SSL

Examine menu

Examine SSL

From there type in the hostname and click ok. It will pop up a window showing the certificate details. At the bottom of that window there's an "Import" button that will allow you to directly import it into the cacerts.

Certificate Details for SSL Connection

Make sure you save and close cacerts, and restart your eclipse/application for the settings to take effect.


In case you have the certificate already in your Windows' certificate store (this is common in corporate/company deployments with MITM certificates), you can also use the following steps (with help from another Stackoverflow answer with more detailed explaination):

  1. Locate the eclipse.ini file in your Eclipse installation and open it

  2. Below the line -vmargs, add the following lines, then save the file: 
  1. Restart eclipse.

Related Query

More Query from same tag