SSL certs in Java


What is the trick to making your SSL certs work with Java clients? I have
imported all your root and intermediate certs into cacerts. I get a
complaint about being unable to find cert chain.

This works for other vendors.


The ISRG root certificate and the IdenTrust X3 root certificate (used via cross-signing) are currently not included in the Java root program. You can use this script to do that manually. Make sure that your server is also sending the intermediate certificate, otherwise the client might not be able to build the trust chain back to the root certificate. This can be verified using SSL Labs or by using openssl s_client -showcerts -connect and manually inspecting the output.


@pfg Thanks! This works well. Do you know of equivalent reference for windows?


Haven’t seen a Windows version of this. The keytool syntax should be the same on Windows (other than the 2> /dev/null || true bit), so you’d probably only have to worry about how you fetch the certificates (the wget lines) and possibly change some of the paths.

If you’re able to upgrade to the latest version of Java, that would work too, as Java now trusts the root certificate Let’s Encrypt chains up to.


hi tanmaig

the quivalent in windows is the PFX format.

You should export a .PEM certificate with intermediates and private key into a .pfx file

Windows will then install the cert into the personal store and the intermediate cert into the Trusted Intermediate Store.

An alternative is to download the Intermediate certificates and install them into the windows Trusted Intermediate Store.


Did that. :slight_smile: I can confirm that it works perfectly.


IdenTrust’s DST Root CA X3 was actually added to Java’s trust store since this thread was started.

Java: only works with 7u111+ and 8u101+ as the “DST Root CA X3” was added with these versions on 2016-07-19 (see

Edit: I missed the line where pfg said this 18 hours ago. :frowning: