SSL Certificates in Java: Keystores, Truststores, and keytool

How to configure SSL/TLS in Java applications. Covers keytool, PKCS#12 keystores, truststores, Spring Boot TLS, Tomcat SSL, and common Java SSL errors.

Java's SSL Model

Java has its own certificate management system separate from the operating system. Two key concepts:

  • Keystore -- contains your server's certificate and private key (what you present to clients)
  • Truststore -- contains CA certificates you trust (what you use to verify others)

By default, Java uses $JAVA_HOME/lib/security/cacerts as the truststore (password: changeit). This file contains the same root CAs that browsers trust.

Creating a Keystore with keytool

Import a PKCS#12 file

The easiest path. Generate a certificate at getaCert.com, download the .p12 file, and import it:

keytool -importkeystore \
    -srckeystore server.p12 -srcstoretype PKCS12 \
    -destkeystore keystore.jks -deststoretype JKS \
    -srcstorepass password -deststorepass changeit

Since Java 9, you can use the .p12 file directly as a keystore -- no conversion needed.

Generate a self-signed cert with keytool

keytool -genkeypair -alias server \
    -keyalg RSA -keysize 2048 \
    -validity 365 \
    -keystore keystore.jks \
    -storepass changeit \
    -dname "CN=localhost,O=Dev,C=US"

Import a PEM certificate

Java's keytool can't directly import PEM private keys. Convert to PKCS#12 first:

# Convert PEM cert + key to PKCS#12
openssl pkcs12 -export -out server.p12 \
    -inkey server.key -in server.pem \
    -certfile chain.pem -passout pass:password

# Import PKCS#12 into JKS keystore
keytool -importkeystore \
    -srckeystore server.p12 -srcstoretype PKCS12 \
    -destkeystore keystore.jks -deststoretype JKS

Adding a CA to the Truststore

To trust a self-signed certificate or a private CA (like getaCert.com's CA):

# Import CA certificate into a custom truststore
keytool -importcert -alias getacert-ca \
    -file ca-cert.pem \
    -keystore truststore.jks \
    -storepass changeit -noprompt

# Or add it to Java's default truststore
sudo keytool -importcert -alias getacert-ca \
    -file ca-cert.pem \
    -keystore $JAVA_HOME/lib/security/cacerts \
    -storepass changeit -noprompt

Spring Boot HTTPS

application.properties

server.port=8443
server.ssl.key-store=classpath:keystore.p12
server.ssl.key-store-password=password
server.ssl.key-store-type=PKCS12
server.ssl.key-alias=server

application.yml

server:
  port: 8443
  ssl:
    key-store: classpath:keystore.p12
    key-store-password: password
    key-store-type: PKCS12
    key-alias: server

Place keystore.p12 in src/main/resources/.

Redirect HTTP to HTTPS

@Configuration
public class HttpsRedirectConfig {
    @Bean
    public ServletWebServerFactory servletContainer() {
        TomcatServletWebServerFactory tomcat = new TomcatServletWebServerFactory();
        tomcat.addAdditionalTomcatConnectors(httpConnector());
        return tomcat;
    }

    private Connector httpConnector() {
        Connector connector = new Connector(TomcatServletWebServerFactory.DEFAULT_PROTOCOL);
        connector.setScheme("http");
        connector.setPort(8080);
        connector.setSecure(false);
        connector.setRedirectPort(8443);
        return connector;
    }
}

Tomcat SSL Configuration

In server.xml:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150" SSLEnabled="true">
    <SSLHostConfig>
        <Certificate certificateKeystoreFile="conf/keystore.p12"
                     certificateKeystorePassword="password"
                     certificateKeystoreType="PKCS12" />
    </SSLHostConfig>
</Connector>

Useful keytool Commands

# List keystore contents
keytool -list -keystore keystore.jks -storepass changeit

# Verbose listing (shows cert details)
keytool -list -v -keystore keystore.jks -storepass changeit

# Export a certificate from keystore
keytool -exportcert -alias server -keystore keystore.jks \
    -storepass changeit -file server.cer

# Delete an entry
keytool -delete -alias old-cert -keystore keystore.jks \
    -storepass changeit

# Change keystore password
keytool -storepasswd -keystore keystore.jks

Common Java SSL Errors

PKIX path building failed

sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target

The server's certificate isn't trusted. Either: - Add the CA certificate to your truststore - Use -Djavax.net.ssl.trustStore=/path/to/truststore.jks - For development: download our CA certificate and import it

No subject alternative names matching

java.security.cert.CertificateException:
No subject alternative names matching IP address 127.0.0.1 found

The certificate's CN or SAN doesn't match the hostname you're connecting to. Generate a new certificate with the correct domain or IP using our self-signed generator -- it supports SAN entries.

Keystore was tampered with

java.io.IOException: Keystore was tampered with, or password was incorrect

Wrong password. The default Java truststore password is changeit. The default getaCert.com PKCS#12 password is password.

Next Steps

More in Guides
TLS Certificates in Kubernetes: Complete Guide

How to configure TLS in Kubernetes using Secrets, Ingress termination, and cert-manager. Includes step-by-step instructions for using getacert certificates in your cluster.
Let's Encrypt: Complete Setup Guide

How to get free SSL certificates with Let's Encrypt. Covers certbot setup, automatic renewal, HTTP-01 and DNS-01 validation, wildcard certificates, and common issues.
Mutual TLS (mTLS): Client Certificates Step by Step

A practical guide to mutual TLS authentication using client certificates. Covers the mTLS handshake, certificate generation, and server configuration for nginx and Envoy.
Installing SSL Certificates on Nginx

How to configure SSL/TLS on nginx with proper cipher suites, HSTS, and security headers. Includes a production-ready config and testing instructions.
Installing SSL Certificates on Apache

Step-by-step guide to configuring SSL/TLS on Apache with mod_ssl. Covers virtual hosts, cipher suites, HSTS, OCSP stapling, and common pitfalls.
SSL/TLS Certificates in Docker Containers

How to configure SSL certificates in Docker containers. Covers self-signed certs for development, mounting certificates as volumes, Docker Compose TLS, and Traefik/nginx reverse proxy patterns.
SSL Certificates in Java: Keystores, Truststores, and keytool

How to configure SSL/TLS in Java applications. Covers keytool, PKCS#12 keystores, truststores, Spring Boot TLS, Tomcat SSL, and common Java SSL errors.
Essential OpenSSL Commands for SSL Certificates

The most useful OpenSSL commands for generating certificates, inspecting certs, converting formats, and debugging SSL connections. Copy-paste ready examples.
S/MIME Email Certificates: Sign and Encrypt Email

How to create S/MIME certificates for email signing and encryption. Generate test certificates with getaCert.com, configure Outlook, Apple Mail, and Thunderbird, and understand the trust model.
On This Page
Try It Yourself

Generate real certificates right now — no signup required.

Self-Signed CA-Signed
Resources