The other day I had to download a public cert from a web service’s host and store it in my java keystore so that it can be trusted. Here’s what I did:
openssl s_client -showcerts -connect www.manthanhd.com:443 < /dev/null 2>/dev/null| sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p' > /tmp/www-manthanhd-com.cert
sudo keytool -import -file /tmp/www-manthanhd-com.cert -alias wwwmanthanhdcom -keystore /opt/java/jre/lib/security/cacerts -storepass changeit
The first line downloads the public cert from www.manthanhd.com and stores it in /tmp/www-manthanhd-com.cert.
Next, we’re using keytool to import that certificate into the Java cacert keystore. I am only using sudo here because Java is installed as root. If in your case its not, you can just use the keytool command without the sudo prefix.
Also, on my test box, the java keystore has the default java keystore password which is changeit. Make sure this matches whatever your keystore password is.
Last but not least, the alias that the cert is imported against is important because this is what you will have to use to later find it. In this case I’m just using the hostname without any punctuations. This way, I can easily find any cert I want for any host if I need it.