A command-line utility to manage certificates in all the installed JDKs discovered.
Modern JDKs rely on a trusted certificate store to securely connect to HTTPS services. But managing these certificates—especially across multiple installed JDKs—can be a pain.
JDKCertsTool makes it easy:
- ✅ Add or remove custom certificates (like corporate or internal CA certs)
- 🔍 List installed JDKs
- 🔐 Uses keytool under the hood — no need to learn its syntax
If you’ve ever hit SSL or trust errors when using Java with internal services, APIs, or behind proxies, this tool helps you fix that in seconds.
Note that this is a developer tool which assumes usage on development environment.
This assumption translates, for example, in having the same password (or the default changeit) for all the keystores
and implicitly assuming the cacerts keystore.
brew tap ADarko22/tap
brew install jdkcertsUse the installed jdkcerts command:
jdkcerts --helpgit clone https://github.com/ADarko22/JDKCertsTool.git
cd JDKCertsTool./gradlew run --args="--help"You can use the provided run configurations in runConfigurations.idea/runConfigurations to
execute the tool directly from IntelliJ:
InfoList JDKsInstall JDK CertRemove JDK CertFind JDK Cert
Note: you may need to edit the "Program arguments" to replace placeholders like <ALIAS> and <CERT_PATH> with
actual values, and to remove --dry-run for permanent changes.
Displays basic project and environment info.
Options:
| Option | Description |
|---|---|
| -h, --help | ❓ Show this message and exit |
| --custom-jdk-dirs | 🗂️ Comma-separated paths to JDK directories (optional) |
Options:
| Option | Description | Default |
|---|---|---|
| -h, --help | ❓ Show this message and exit | |
| --custom-jdk-dirs | 🗂️ Comma-separated paths to JDK directories (optional) | |
| --cert | 📄 Path to the certificate file (required) | |
| --keystore-password | 🔐 Keystore password | changeit |
| --alias | 🏷️ Certificate alias | |
| --dry-run | 🛑 Preview changes without modifying anything |
Options:
| Option | Description | Default |
|---|---|---|
| -h, --help | ❓ Show this message and exit | |
| --custom-jdk-dirs | 🗂️ Comma-separated paths to JDK directories (optional) | |
| --keystore-password | 🔐 Keystore password | changeit |
| --alias | 🏷️ Certificate alias | |
| --dry-run | 🛑 Preview changes without modifying anything |
Options:
| Option | Description | Default |
|---|---|---|
| -h, --help | ❓ Show this message and exit | |
| --custom-jdk-dirs | 🗂️ Comma-separated paths to JDK directories (optional) | |
| --keystore-password | 🔐 Keystore password | changeit |
| --alias | 🏷️ Certificate alias (required) | |
| -v, --verbose | 🔬 Display all certificate details (SHA1, SHA256, Serial, etc.) | false |
JDKCertsTool is designed for real-world Java environments where trusting internal or custom certificates is crucial for secure communication:
-
Connecting Backend Services to Internal Authentication Servers:
When your Java backend calls internal SSO, OAuth2/OIDC providers, or custom token services, the JDK must trust the server’s certificate chain. Without the proper CA certificates imported, SSL handshakes fail, blocking authentication and API calls. -
Testing OAuth2/OIDC Tokens with IntelliJ HTTP Client:
Developers retrieving access tokens or testing APIs via IntelliJ HTTP Client often face SSL errors if the internal auth servers use certificates not trusted by the default JDK certificate keystore. Adding these certs avoids frustrating connection failures during development. -
Accessing Internal Maven or Gradle Repositories:
Private artifact repositories often use self-signed or corporate CA certificates. When the JDK doesn’t trust these, builds fail with SSL errors. Installing the correct certificates ensures smooth dependency resolution in CI and local builds.
More in general, resolving PKIX path building failed SSL Errors.
This project is licensed under the MIT License.