FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to import private CA certificates into JRE truststore when using STM32CubeIDE on Linux or macOS

EJOHA
Senior

on ‎2021-02-24 1:05 PM - edited on ‎2025-08-01 2:31 AM by Community manager

This article describes how to import CA certificates into JRE truststore when using Linux, but the same approach applies to macOS, just with slightly different paths.
 

1. Background

The JRE, Java Runtime Environment, bundled with STM32CubeIDE only contains public certificate authorities (CA). Sometimes, you need to add a private CA, for example when using a proxy server to access the Internet.
The following problem may appear in STM32CubeIDE if the CA is not included in the truststore:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

2. Solution

Two methods on how to import the private CA certificate into the JRE’s truststore are listed below. Both methods use the Java keytool to import the private CA into the truststore used by STM32CubeIDE.
 


2.1 Method 1 – Import into current version of JRE’s truststore

Import CA certificate into current version of JRE’s truststore.
Pros: keep public CA certificates always up to date
Cons: each time there is a JRE update, the private CA certificates needs to be re-imported

1. Close STM32CubeIDE
2. Open STM32CubeIDE installation folder 
3. Open <stm32cubeide.ini> and locate the current JRE in the file, Example:
-vm
plugins/com.st.stm32cube.ide.jre.linux64_x.x.x.xxxxx/jre/bin

4. Import the CA certificate with keytool

$ cd plugins/com.st.stm32cube.ide.jre.linux64_x.x.x.xxxxx/jre
$ bin/keytool -importcert -alias aUniqueName -keystore lib/security/cacerts -file thePathToTheCaToImport.cer
Default truststore password is “changeit” and needs to be left as this

5. Redo step 4 for every required CA certificate
 

2.2 Method 2 – Duplicate from current version of JRE’s truststore

Duplicate certificate from current version of JRE’s truststore.
Pros: configuration persisted across STM32CubeIDE JRE updates
Cons: public CA certificates that have been revoked will remain trusted in STM32CubeIDE
1. Close STM32CubeIDE
2. Open STM32CubeIDE installation folder
3. Open <stm32cubeide.ini> and locate the current JRE in the file, Example:
-vm

plugins/com.st.stm32cube.ide.jre.linux64_x.x.x.xxxxx/jre/bin
4. Copy the current truststore
$ cp plugins/com.st.stm32cube.ide.jre.linux64_x.x.x.xxxxx/jre/lib/security/cacerts /somewhere/cacerts
5. Import the CA certificate with keytool
$ cd plugins/com.st.stm32cube.ide.jre.linux64_x.x.x.xxxxx/jre

$ bin/keytool -importcert -alias aUniqueName -keystore /somewhere/cacerts -file thePathToTheCaToImport.cer
Default truststore password is “changeit” and needs to be left as this
6. Redo step 5 for every required CA certificate
7. Add these lines at the end of <stm32cubeide.ini>
-Djavax.net.ssl.trustStore=/somewhere/cacerts

-Djavax.net.ssl.trustStorePassword=changeit
 

3. References

Java keytool command documentation : keytool   
 

Labels:
Version history
Last update:
‎2025-08-01 2:31 AM
Updated by:
Community manager
Contributors
Top