CAcert CER refers to the public key certificate issued by CAcert.org, a community-driven certificate authority that provides free SSL/TLS certificates
What is Cacert and CERT?
CAcert is a community-driven certificate authority that issues free public key certificates (CER), while CERT typically refers to a public key certificate issued for a specific domain or service
Think of CAcert as a non-profit group giving away SSL/TLS certificates for websites, email systems, and other encryption needs. Their certificates work just like commercial ones, but most browsers and operating systems won't trust them automatically. That's because CAcert's root certificate isn't in the standard trust stores. When we say "CERT," we usually mean any public key certificate from a certification authority—including CAcert's.
What is Cacert file?
A CAcert file (typically cacerts) is a system-wide keystore containing trusted root certificates issued by CAcert and other certificate authorities
This file acts like a master list of trusted certificates for Java and other apps. It comes with Java installations and includes certificates from major CAs. You manage it with the keytool command from the Java Development Kit (JDK). Since Java 17, the default format switched from JKS to PKCS12. That's why you'll see the file in JAVA_HOME/conf/security/cacerts on newer versions.
How do I get a Cacert certificate?
You can obtain a CAcert certificate by submitting a Certificate Signing Request (CSR) through CAcert's website or by using OpenSSL to generate a key pair and certificate
Start by creating a private key and CSR with OpenSSL: openssl req -new -newkey rsa:4096 -nodes -keyout yourdomain.key -out yourdomain.csr. Then head to CAcert's website to submit that CSR. After they validate your request, download the certificate and install it on your server. Want to use CAcert's Class 3 root certificate for internal certificates? You can, but remember—those won't be trusted publicly.
Is Cacert trusted?
As of 2026, CAcert certificates are not trusted by default in major web browsers and operating systems, including Chrome, Firefox, Windows, and macOS
Here's the catch: CAcert's root certificate isn't in the standard trust stores maintained by browser and OS vendors. You'd need to manually add it to your system's trusted certificates to make CAcert-issued certificates work. Their SHA-256 hashing is secure, but the lack of inclusion in major trust stores really limits their practical use. For most real-world setups, certificates from widely trusted CAs like Let's Encrypt make way more sense.
Can I copy cacerts file?
You should not directly copy the cacerts file across different Java versions, as each version includes specific trusted certificates that may differ
Copying a cacerts file straight from one Java install to another is risky. Each version's file is tailored to its environment, and mismatched certificates can cause compatibility issues or security gaps. Instead, export only the certificates you need using keytool -exportcert and import them into the target cacerts file with keytool -importcert. That way, you're only moving what's necessary and keeping the target environment consistent. Since Java 11, you'll find the cacerts file at JAVA_HOME/conf/security/cacerts.
How do I read a cacerts file?
You can read a cacerts file using the Java Keytool command keytool -list -keystore cacerts with the default password "changeit"
To see all certificates in the cacerts file, open a terminal and run: keytool -list -keystore "path/to/cacerts" -storepass changeit. Just swap in your actual file path. On Windows with Java 17, that's usually C:\Program Files\Java\jre-17\lib\security\cacerts. Linux users will find it at $JAVA_HOME/lib/security/cacerts. Add the -v flag for detailed info like issuer, validity dates, and signature algorithms.
How do I open a .keystore file?
You can open a .keystore file using the KeyStore Explorer GUI tool or the Java Keytool command keytool -list -keystore yourfile.keystore
KeyStore Explorer is a handy, open-source tool that works on Windows, macOS, and Linux. Grab it from keystore-explorer.org, install it, then open your file via Menu > Open > Open KeyStore. Prefer the command line? Use keytool -list -keystore yourfile.keystore -storepass yourpassword to view contents. Just don't lose that password—recovery options are practically nonexistent.
What is difference between cacerts and keystore?
The cacerts file stores trusted root certificates from certificate authorities, while a keystore file stores private keys and certificates for your own applications or servers
Cacerts is like a phone book of trusted certificates—it holds public certificates from root CAs that Java trusts by default. A keystore (with extensions like .jks, .p12, or .keystore), on the other hand, is where you keep your own private keys and certificates. Your web server uses a keystore to show its SSL certificate to clients, while clients use cacerts to verify that certificate chain. They serve completely different purposes.
What is Java cacerts password?
The default password for the Java cacerts file is "changeit"
This password protects the cacerts file from unauthorized changes. You'll need it when using keytool to import or export certificates. In production, definitely change this default—it's just a placeholder. To update it, run: keytool -storepasswd -new newpassword -keystore cacerts. Keep that new password secure and backed up. You don't want to be locked out of your trust store.
How do I issue a certificate?
To issue a certificate, generate a Certificate Signing Request (CSR), submit it to a certification authority (CA), and install the issued certificate on your server
First, create a private key and CSR with OpenSSL: openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr. Then submit that CSR to a CA like Let's Encrypt, DigiCert, or Sectigo. They'll validate your request and issue a certificate. Install that certificate on your web server (Apache, Nginx, IIS, etc.) alongside your private key. For local testing, you can skip the CA entirely with a self-signed certificate: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365.
Does it cost money to get https?
HTTPS certificates can be obtained for free from certificate authorities like Let's Encrypt, while paid options provide additional features and extended validation
Free SSL/TLS certificates are available from providers like Let's Encrypt, which use automated issuance and renewal via the ACME protocol. These are trusted by all major browsers and work great for most websites and APIs. Paid certificates range from $10 to several hundred dollars per year and offer extras like extended validation (EV) certificates, longer validity, and warranties. For example, a domain-validated (DV) certificate from Let's Encrypt is free, while an EV certificate from a commercial CA might cost $100 or more annually.
How do I generate a CA certificate?
To generate a CA certificate, create a private key and a self-signed root certificate using OpenSSL, then use it to sign other certificates
Start by generating a private key for your root CA: openssl genrsa -out rootCA.key 4096. Next, create a self-signed root certificate: openssl req -x509 -new -key rootCA.key -days 3650 -out rootCA.crt. This certificate will sign your intermediate and end-entity certificates. Keep that root CA key locked away offline to prevent compromise. You can then use this root certificate to sign other certificates by creating a CSR and signing it with your root CA's key.
What does a certification authority do?
A certification authority (CA) is a trusted organization that issues digital certificates to verify the identity of websites, servers, and individuals
CAs validate who you are before issuing a certificate. They check domain ownership, business registration, or identity details, depending on the certificate type. Once validated, they issue a digital certificate containing your public key and identity information. Browsers and operating systems come pre-loaded with a list of trusted CAs (the root store), which lets them verify server certificates automatically. This system is what makes secure internet communication possible—without it, you couldn't trust the websites you visit.
Where is keystore JKS located?
The default location of the Java Keystore (JKS) file is JAVA_HOME/lib/security/cacerts, which is also used for the cacerts file
Since Java 9, the default keystore format changed from JKS to PKCS12. The cacerts file, which holds trusted root certificates, lives in the same directory. On Java 8 and earlier, Windows users can find it at C:\Program Files\Java\jre8\lib\security\cacerts. Linux users might see it at /usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts. Need a custom location? Set it with the javax.net.ssl.keyStore system property when running your Java apps.
How do I download CAcert?
You can download CAcert's root certificate bundle from curl.se/docs/caextract.html, which provides a PEM file containing all CAcert root certificates
Grab the cacert.pem file from that link—it contains all the root certificates you need to validate CAcert-issued certificates. Save it somewhere secure, like /etc/ssl/certs/cacert.pem on Linux or C:\cacert\cacert.pem on Windows. After downloading, import this root certificate into your system's trust store or browser. Just remember: while CAcert's certificates are technically secure, most environments won't trust them automatically. Manual import is required for validation.
