How to Migrate Java Certificates to New Version of Java

Document created by rich_patterson Employee on Jun 17, 2014Last modified by chris_stevens on Jun 17, 2016
Version 2Show Document
  • View in full screen mode

NOTE: This article may be outdated.

Below are the steps required to migrate certificates from one Keystore into another:


Locate the new ( Java 7 ) version of the keytool:

  • Determine the installation directory of the new ( Java 7 ) JRE/JDK: ( i.e. /opt/jdk1.7.0_45/jre )

  • The Keytool is located in the bin directory ( i.e. [JRE]\bin\keytool )


Identify the location of the source ( Java 6 ) and target ( Java 7 ) keystores:

  • For JDK, this is typically [JDK_HOME]/jre/lib/security/cacerts

  • For JRE, this is typically [JRE]/lib/security/cacerts

  • Note: If you use an alternative keystore (e.g. a keystore shared with a web server, or a keystore specified by the system property then you may need to modify the instructions below accordingly, possibly specifying keytool -storetype when using the keytool to reference your keystore.


Verify that you have the correct password for both keystores:

  • Command: keytool -list -keystore /opt/jdk1.7.0_45/jre/lib/security/cacerts

  • You will be prompted for the password

  • The default password is "changeit"


Create a backup copy of the default certs file for your target keystore:

  • For example: Copy /opt/jdk1.7.0_45/jre/lib/security/cacerts to cacerts.bak

  • This file can copied back in place if necessary


Determine which certs you have added to the default Java 6 cacerts

  • If you kept track of the certs as you added them over time, and you know which certs you need to migrate, then this step is done. Otherwise you need to compare the certs in your Java 6 keystore, against the certs distributed in the generic Java 6 distribution.

  • Default Java certs for several distributions are attached to this article as an HTML document.

  • Alternatively, you may download and install the old version of Java ( Java 6 ) and list the files yourself.

  • Find your Java distribution here:

  • Download and install (may require registration with Oracle)

  • Look at the default certs with keytool -list -keystore [JRE]/lib/security/cacerts

  • Save the names (i.e. the aliases) of the certs you’ve added into a migration list (say, a spreadsheet)


Check your migration list for expired certs and remove them from your list

  • keytool -list -v -keystore cacerts -alias <alias>

  • Look at the “Valid from … until …” line


You may also want to check your certificates to see whether any certificates have been revoked.


Now add the certs ( using the aliases ) one at a time to the new ( Java 7 ) keystore:

  • keytool -keystore <Java 6 cacerts> -alias <alias> -export -file <cert_for_this_alias>.cert

  • keytool -keystore <Java 7 cacerts> -alias <alias> -import -file <cert_for_this_alias>.cert

    • You may need administrative privileges to perform this command

    • It may prompt you whether to trust it (e.g. if it is a self-signed cert or the cert has expired), presumably you can but you can make that decision here.

    • If you are importing an intermediate cert and the import fails on establishing a certificate path, you can retry with the -trustcacerts flag.

  • For security reasons, you must remove the transition .cert files created in the previous step


Verify that entries were copied correctly into the target Java installation.

  • keytool -list -rfc -keystore [JRE]/lib/security/cacerts -alias <alias>

  • keytool -list -v -keystore [JRE]/lib/security/cacerts -alias <alias>



  • Some of your processes may encounter a new error such as:

First document failure: [Server.userException] handshake alert:  unrecognized_name;

  • To resolve this, in the atom.vmoptions, add the line