Importing common root certificates
Java's default trust store may not include the certificate authority (such as self-signed) used by your IRC. This means that connections to servers which make use of certificates signed by these CAs will fail.
It's possible to manually import the root certificates into Java's trust store which will make such connections work.
This approach is preferable to making use of the
InsecureTrustManagerFactory or otherwise disabling certificate
- Download the certificate in DER form.
openssl s_client -showcerts -connect irc.host:6697 < /dev/null | openssl x509 -outform DER > cert.der
cacertsfile. This is located in the
libof the JAVA_HOME directory. For example,
/usr/lib/jvm/java-8-oracle/jre/lib/cacertson a Ubuntu system.
Issue the import command for each certificate you'd like to import. The trust store can be protected with a password which is set by default to 'changeit'. If you've not changed it, you should be able to simply use this password. You can supply an alias for each certificate via the
sudo keytool -trustcacerts -keystore /usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts -noprompt -importcert -alias irchost -file cert.der
You can list all certificates in your trust store and verify the certificates were correctly added by issuing
sudo keytool -trustcacerts -keystore /usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts -list
At this point, the certificates should now be imported and connections made using the JRE's default