Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-15087: Certificates continually get removed from java keystore

Authentication Service ,  

28 June,19 at 10:47 PM


When importing a certificate to the java keystore, it is later noticed that the certificate has been removed. Why?

In the audit logs, taken from the event, it shows that Centrify is somehow involved: 

type=PROCTITLE msg=audit(04/19/2019 12:29:44.622:42373) : proctitle=/usr/bin/trust extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth /etc/pki/ca-trust/extracted/j 

type=CWD msg=audit(04/19/2019 12:29:44.622:42373) : cwd=/usr/share/centrifydc/mappers/machine 


The certificates are getting removed when the update-ca-trust command is run. Centrify follows RedHat convention in CA certificate store maintenance, by using update-ca-trust command from RedHat to maintain the CA certificate store. This is why it appears Centrify is removing the certificates.

When using the keytool command (this is a Java tool, not RedHat tool) to import a CA certificate, it adds the certificate to the target file directly, without RedHat's knowledge. Then when RedHat's CA certificate store tool update-ca-trust is run, and if the certificate is not in the /etc/pki/ca-trust/source/anchors directory, it is not recognized, and gets removed.


To add a certificate in the simple PEM or DER file formats to the list of CAs trusted on the system:

· add it as a new file to directory /etc/pki/ca-trust/source/anchors/

· run update-ca-trust extract

If the certificate is still getting removed, the following file may be modified so that update-ca-trust command will not remove the certificate. 

Navigate to the /bin directory and edit the update-ca-trust file with vi or preferred text editor.

change the following line:


/usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth $DEST/java/cacerts


/usr/bin/p11-kit extract --format=java-cacerts --filter=certificates --overwrite --purpose server-auth $DEST/java/cacerts

Now try importing the certificate again. It should now give an error to the effect of "Certificate already exists in keystore" which indicates the certificate is still there. If the certificate was not present, there would be prompts to enter the keystore password and to trust the certificate. 

A RedHat discussion on this topic can be found here: