Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- STMicroelectronics Community
- Knowledge base
- STM32 MCUs
- How to import private CA certificates into JRE tru...
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Email to a Friend
- Printer Friendly Page
- Report Inappropriate Content
How to import private CA certificates into JRE truststore when using STM32CubeIDE on Linux or macOS
EJOHA
Senior
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Email to a Friend
- Printer Friendly Page
- Report Inappropriate Content
on 2021-02-24 01:05 PM
How can Certificate Authorities (CA) certificates be imported into JRE truststore when using STM32CubeIDE on Linux or macOS?
This article describes how to import CA certificates into JRE truststore when using Linux, but the same approach applies to macOS, just with slightly different paths.
1. Background
The JRE, Java Runtime Environment, bundled with STM32CubeIDE only contains public certificate authorities (CA). Sometimes, you need to add a private CA, for example when using a proxy server to access the Internet.
The following problem may appear in STM32CubeIDE if the CA is not included in the truststore:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
2. Solution
Two methods on how to import the private CA certificate into the JRE’s truststore are listed below. Both methods use the Java keytool to import the private CA into the truststore used by STM32CubeIDE.
2.1 Method 1 – Import into current version of JRE’s truststore
Import CA certificate into current version of JRE’s truststore.
Pros: keep public CA certificates always up to date
Cons: each time there is a JRE update, the private CA certificates needs to be re-imported
1. Close STM32CubeIDE 2. Open STM32CubeIDE installation folder 3. Open <stm32cubeide.ini> and locate the current JRE in the file, Example: -vm plugins/com.st.stm32cube.ide.jre.linux64_x.x.x.xxxxx/jre/bin4. Import the CA certificate with keytool
$ cd plugins/com.st.stm32cube.ide.jre.linux64_x.x.x.xxxxx/jre
$ bin/keytool -importcert -alias aUniqueName -keystore lib/security/cacerts -file thePathToTheCaToImport.cer
Default truststore password is “changeit” and needs to be left as this
5. Redo step 4 for every required CA certificate
2.2 Method 2 – Duplicate from current version of JRE’s truststore
Duplicate certificate from current version of JRE’s truststore.
Pros: configuration persisted across STM32CubeIDE JRE updates
Cons: public CA certificates that have been revoked will remain trusted in STM32CubeIDE
1. Close STM32CubeIDE
2. Open STM32CubeIDE installation folder
3. Open <stm32cubeide.ini> and locate the current JRE in the file, Example:
-vm
plugins/com.st.stm32cube.ide.jre.linux64_x.x.x.xxxxx/jre/bin
4. Copy the current truststore
$ cp plugins/com.st.stm32cube.ide.jre.linux64_x.x.x.xxxxx/jre/lib/security/cacerts /somewhere/cacerts
5. Import the CA certificate with keytool
$ cd plugins/com.st.stm32cube.ide.jre.linux64_x.x.x.xxxxx/jre
$ bin/keytool -importcert -alias aUniqueName -keystore /somewhere/cacerts -file thePathToTheCaToImport.cer
Default truststore password is “changeit” and needs to be left as this
6. Redo step 5 for every required CA certificate
7. Add these lines at the end of <stm32cubeide.ini>
-Djavax.net.ssl.trustStore=/somewhere/cacerts
-Djavax.net.ssl.trustStorePassword=changeit
3. References
Java keytool command documentation : keytool
Labels: