LDS Certs and Java

This document outlines how to deal with the LDS Custom CA certs in Java.


Tuesday March 18, 2014 - Many systems are now using certificates issues by a trusted authority (finally!) and therefore the need to install a certificate has largely gone away. The Organizational CA certificate will/has expired on April 28th 2014. This was replaced by LDSCAX1 or LDSCAX2. There might be a few cases where you need to install these certificates, but note that they are not included in the certificate file download mentioned below. We are leaving this article up for reference but most developers will not need to follow these instructions.


In ICS we have numerous custom CAs and self signed certs. Normally this is fine but can cause problems for Java developers who wish to connect to another server over SSL. If you don't have the cert for the destination server in your java certificates file the connection will fail. You can generally solve this problem in one of two ways:

  • Tell Java to disable cert validation. This approach may be valid in some situations. However, by circumventing these checks you may be opening your application up for a man in the middle attack. If you think this solution is appropriate for your situation consult a member of the Stack team.
  • Install the LDS CA and self signed certificates into your java cacerts file.
  • Use a java certificates file that already has the certificate(s) you need loaded.

Install the LDS CA Certificates into Java

To install a certificate into your java certificates keystore do the following:

  1. Visit the destination site with your browser and extract the certificate from that site as a Base64 encoded X.509 Certificate File.
  2. Find your java certificates file by navigating to {JAVA_HOME}/jre/lib/security.
  3. Import the certificate into your cacerts file by executing a command like:
{JAVA_HOME}/bin/keytool -importcert -keystore cacerts -storepass changeit -file {path to X.509 certificate file} -alias {Any text identifying the cert}

Use an Existing Java Certificates File

It can be tedious acquiring the appropriate certs and installing them into your Java Certificates file. So, to help the Stack team has created a cacerts file developers can use. The current version is based on the Sun certificates available in the JDK 1.6u22 release.

NOTE! Do not use this file for stage/production. Consult your ASE if you need a cert installed in stage/production.

To install our cacerts file you must:

  1. Download our cacerts file here. You need firewall access to download the file because we are unsure of the legality of distributing the cacerts file.
  2. Overwrite the cacerts file in your {JAVA_HOME}/jre/lib/security directory. (you may want to backup the existing cacerts file just in case)

That's it.

Currently our custom cacerts file includes the following certificates:

  • apz-f5
  • diz-f5
  • cdir
  • gdir
  • gdirstage
  • sapz-f5
  • sdmz-f5
  • Organizational CA

If you discover a cert that is not in our cacerts file please let the Java Stack team know.

This page was last modified on 18 March 2014, at 13:49.

Note: Content found in this wiki may not always reflect official Church information. See Terms of Use.