How to import a certificate into the Application Server's Truststore

  • Updated


If using a self-signed certificate with an On-Premise Contrast Server installation, or if a proxy or other device is rewriting the SaaS Contrast Server's certificate, you may wish to import the resulting certificate into the trust store used by your Java Application Server's JVM.  This article details the necessary steps.

Note: When using IBM WebSphere, the standard method of adding a signer certificate to the Node or Cell Trust Store via the SSL Certificate and Management area of the WebSphere Integrated Solutions Console is not sufficient due to the order in which classes are loaded within WAS.  This results in the necessary classes not being available to the Contrast agent when it starts see Java Agent does not honor WebSphere configured Truststore Entries for the workaround in the WebSphere case.


  1. Obtain the server certificate.  There are several ways to do so:
    • For an On-Premise installation, ask the administrator of the Contrast Server for the certificate.
    • From a browser running on the same machine as the application server, navigate to the Contrast UI (for example then save the certificate.  The process differs by browser and platform - but you can generally click the lock icon next to the URL and view the certificate then either drag it to a folder or look for an option to export to a file. 
    • Using openssl, the following command will save the certificate to a file named contrast-cert.pem:
openssl s_client -showcerts -connect {Contrast UI hostname}:{port} </dev/null 2>/dev/null | openssl x509 -outform PEM > contrast-cert.pem

Or on Windows - replace /dev/null with NUL:

openssl s_client -showcerts -connect {Contrast UI hostname}:{port} <NUL 2>NUL | openssl x509 -outform PEM > contrast-cert.pem
  1. Find the trust store used by the JVM.  It will generally be located at {Java Home}/jre/lib/security/cacerts
  1. Import the certificate using the following command:
{Java Home}/bin/keytool -import -trustcacerts -alias contrast-server -file contrast-cert.pem -keystore {Java Home}/jre/lib/security/cacerts

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request