Java Keytool error after importing certificate , "keytool error: java.io.FileNotFoundException & Access Denied"

A

15

183

I'm trying to connect a Java Web API via HTTPS; however, an exception is thrown:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException

I followed these steps which I learned from online keytool & SSL cert tutorials:

I copied the HTTPS URL into the browser, downloaded the SSL certificates & Installed them in the browser using Internet Explorer.
Exported the certificates to a path on my computer, the certificates were saved as .cer

Used the keytool's import option. The command below executed without any errors.

keytool -import -alias downloadedCertAlias -keystore C:\path\to\my\keystore\cacerts.file -file C:\path\of\exportedCert.cer

I was prompted for a password at the command prompt, which I entered then I was authenticated.
The cmd window printed some certificate data & signatures and I was prompted with the question:

Trust this certificate?

I answered yes.
The cmd prompt displayed

Certificate was added to keystore

However after that message, another exception was displayed:
```
keytool error: java.io.FileNotFoundException: C:\Program files\...\cacerts <Access Denied>
```

Finally when I checked the keystore , the SSL certificate was not added and my application gives the same exception I was getting earlier when trying to connect:

(javax.net.ssl.SSLHandshakeException:sun.security.validator.ValidatorException)

Atrium answered 25/4, 2012 at 18:2 Comment(2)

could you post the exact keytool command that you've executed, and it's output? some of the obvious issues here are the typo of -keystore argument, and the fact that keytool was unable to find the keystore to import the key into – Equipotential 25/4, 2012 at 18:39

I meant to write: keytool -import -alias downloadedCertAlias -keystore C:\path\to\my\keystore\cacerts.file -file C:\path\of\exportedCert.cer I also mentioned the command executed without errors, so obviously this is just spelling mistake in my question!!! Thanks anyways – Atrium 26/4, 2012 at 1:2

A

52

I was having the same problem while importing the certificate in local keystore. Whenever i issue the keytool command i got the following error.

Certificate was added to keystore keytool error: java.io.FileNotFoundException: C:\Program Files\Java\jdk1.8.0_151\jre\lib\security (Access is denied)

Following solution work for me.

1) make sure you are running command prompt in Rus as Administrator mode

2) Change your current directory to %JAVA_HOME%\jre\lib\security

3) then Issue the below command

keytool -import -alias "mycertificatedemo" -file "C:\Users\name\Downloads\abc.crt" -keystore cacerts

3) give the password changeit

4) enter y

5) you will see the following message on successful "Certificate was added to keystore"

Make sure you are giving the "cacerts" only in -keystore param value , as i was giving the full path like "C**:\Program Files\Java\jdk1.8.0_151\jre\lib\security**".

Hope this will work

Attainture answered 6/12, 2017 at 8:7 Comment(4)

As mentioned here, being actually in the security directory and only giving the "cacerts" name of the cert instead of the full path was what worked for me. – Aptitude 20/12, 2018 at 15:55

I used sudo -i to make myself the superuser in the first step on Mac and followed the steps and it worked. I opened up carets file as a text file and found my certificate by doing command f to search for its name (or anything else relating to the certificate). – Bosnia 27/6, 2019 at 16:22

doing a cd $JAVA_HOME/jre/lib/security and then making sure to only pass -keystore cacerts without the path fixed the problem for me.. – Ignatia 4/9, 2020 at 10:3

only this answer helped to fix problem – Antifriction 23/1 at 8:58

L

335

This could happen if you are not running the command prompt in administrator mode. If you are using windows 7, you can go to run, type cmd and hit Ctrl+Shift+enter. This will open the command prompt in administrator mode. If not, you can also go to start -> all programs -> accessories -> right click command prompt and click 'run as administrator'.

Lithuanian answered 5/7, 2012 at 17:58 Comment(6)

For Mac users, a simple sudo will fix this issue. – Audry 26/5, 2014 at 17:14

running as admin is not the right solution. Most companies are locking down admin access. Better to fix the reason as to why access is denied rather than elevating the previlages. – Belsky 21/1, 2015 at 12:34

type cmd and hit Ctrl+Shift+enter and added certificate successfully- Its worked for me – Phosphorylase 10/2, 2017 at 5:53

Thanks. control-shift CMD was the only way I could alter cacerts store. – Retractor 26/11, 2019 at 4:47

@Afshar thanks a lot i have been struggling with this for quite a long time. – Friseur 31/3, 2020 at 11:40

Seriously, I keep on getting this error and it's a company laptop, no chance in hell of me being able to run anything as admin. The fact that most of the answers here rely on being able to run as administrator is frustrating. – Ivetteivetts 10/2, 2021 at 11:13

A

52

I was having the same problem while importing the certificate in local keystore. Whenever i issue the keytool command i got the following error.

Certificate was added to keystore keytool error: java.io.FileNotFoundException: C:\Program Files\Java\jdk1.8.0_151\jre\lib\security (Access is denied)

Following solution work for me.

1) make sure you are running command prompt in Rus as Administrator mode

2) Change your current directory to %JAVA_HOME%\jre\lib\security

3) then Issue the below command

keytool -import -alias "mycertificatedemo" -file "C:\Users\name\Downloads\abc.crt" -keystore cacerts

3) give the password changeit

4) enter y

5) you will see the following message on successful "Certificate was added to keystore"

Make sure you are giving the "cacerts" only in -keystore param value , as i was giving the full path like "C**:\Program Files\Java\jdk1.8.0_151\jre\lib\security**".

Hope this will work

Attainture answered 6/12, 2017 at 8:7 Comment(4)

As mentioned here, being actually in the security directory and only giving the "cacerts" name of the cert instead of the full path was what worked for me. – Aptitude 20/12, 2018 at 15:55

I used sudo -i to make myself the superuser in the first step on Mac and followed the steps and it worked. I opened up carets file as a text file and found my certificate by doing command f to search for its name (or anything else relating to the certificate). – Bosnia 27/6, 2019 at 16:22

doing a cd $JAVA_HOME/jre/lib/security and then making sure to only pass -keystore cacerts without the path fixed the problem for me.. – Ignatia 4/9, 2020 at 10:3

only this answer helped to fix problem – Antifriction 23/1 at 8:58

A

27

I had the same problem under Windows and could solve it by running cmd.exe as administrator (right-click in start menu, then "Run as administrator).

Amblyopia answered 3/5, 2012 at 9:7 Comment(0)

N

15

Check the write permissions on the keystore.

Nelda answered 27/6, 2012 at 16:51 Comment(4)

If anyone can expand on this, just checking the permissions won't change anything. – Omnibus 5/4, 2017 at 14:36

setting the tomcat directory to read-only will cause this exception – Catatonia 18/11, 2017 at 20:25

how to chek the weite permission? – Sutherland 11/10, 2018 at 10:34

If you check if it is read-only and then it is read-only - then you make it not read-only - then the issue will go away (if that was the issue of course). I already had an administrative window and forgot to check this - of course that was the issue and fix for me. – Blithe 26/3 at 0:0

K

7

For Mac users make sure to sudo and when prompted first give your administrator password and that will be followed by keystore password which typically should be "changeit" unless you actually changed it.

Kief answered 21/6, 2017 at 19:17 Comment(0)

U

2

If you are using windows8:

Click start button
In the search box, type command prompt
From the result, right-click command prompt and click Run as administrator. Then execute the keytool command.

Uuge answered 17/3, 2016 at 6:16 Comment(0)

S

2

I got this error too even I ran cmd as an Administrator.

The root cause is: The file is from VCS(subversion, perforce, etc.), and when I checked the properties of this file, its' Attributes is Read-only.

So the solution is:

(1) disable the 'Read-only' Attribute;
(2) check out from VCS, let the file under the status of read&write.

St answered 16/6, 2020 at 1:1 Comment(1)

Wow. This with the other solutions works for me. Thanks! – Longueur 3/5, 2023 at 22:33

A

2

To solve this Problem you have to access as Admin or give full Control for user privileges. It solved that Problem with me.

Albanese answered 15/9, 2022 at 20:45 Comment(0)

L

1

You can give yourself permissions to fix this problem.

Right click on cacerts > choose properties > select Securit tab > Allow all permissions to all the Group and user names.

This worked for me.

Lepidolite answered 31/5, 2016 at 22:34 Comment(0)

P

1

Make sure you running as Administrator. In Mac terminal:-

Run sudo -i
Then execute the commands

Puffin answered 11/2, 2022 at 13:31 Comment(0)

U

1

For mac use below command

  sudo keytool -importcert -file ~/certificate-file.cer -keystore $(/usr/libexec/java_home)/lib/security/cacerts

Below will give you the location of cacerts.

/usr/libexec/java_home

Unders answered 10/3 at 12:7 Comment(1)

Thanks, for mac I have added "sudo" at the start of the keytool command, it worked. "sudo keytool -importcert -trustcacerts -cacerts .........................." – Harlequin 4/4 at 13:15

S

0

I even run the command prompt as Administrator but it didn't work for me with the below error.

'keytool' is not recognized as an internal or external command,
 operable program or batch file.

If the path to the keytool is not in your System paths then you will need to use the full path to use the keytool, which is

C:\Program Files\Java\jre<version>\bin

So, the command should be like

"C:\Program Files\Java\jre<version>\bin\keytool.exe" -importcert -alias certificateFileAlias -file CertificateFileName.cer -keystore cacerts

that worked for me.

Surovy answered 14/2, 2017 at 12:59 Comment(0)

C

0

Our keystore was stored in SCM, and for some reason downloading the file directly from the SCM service again, enabled modifying the keystore. Probably the earlier download of the file didn't bring it in binary format.

Crabstick answered 12/6, 2023 at 13:7 Comment(0)

A

-2

You can store orther disk or path (not C) EX : D\

C:\Program Files\Java\jre1.8.0_101\bin>keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore D:\myserver.jks -dname "CN=myserver,OU=IT-WebDev, O=TIACHOP, L=HCM, ST=0753, C=VN" && keytool -certreq -alias server -file D:\myserver.csr -keystore D:\myserver.jks

Ascogonium answered 13/10, 2016 at 13:48 Comment(0)

A

-2

SOLVED

Just run CMD as an administrator.
Make sure your using the correct truststore password

Advisee answered 13/9, 2017 at 7:32 Comment(0)

Recommended topics

Hot tags