Removing Unused CA Certificates

The Java and IDM truststore files include a number of root CA certificates. Although the probability of a compromised root CA certificate is low, it is best practice to delete root CA certificates that are not used in your deployment.

To review the list of root CA certificates in the IDM truststore, run the following command:

keytool \
-list \
-keystore /path/to/openidm/security/truststore \
-storepass changeit

On UNIX/Linux systems, you can find additional lists of root CA certificates in files named cacerts. These include root CA certificates associated with your Java environment, such as Oracle JDK or OpenJDK. You should be able to find that file in ${JAVA_HOME}/jre/lib/security/cacerts.

Before changing Java environment keystore files, make sure that the Java-related cacerts files are up to date and verify that you have a supported Java version installed:

Supported Java Versions

OpenJDK, including OpenJDK-based distributions:

  • AdoptOpenJDK/Eclipse Adoptium

  • Amazon Corretto

  • Azul Zulu

  • Red Hat OpenJDK

ForgeRock tests most extensively with AdoptOpenJDK/Eclipse Adoptium.


Oracle Java


You can remove root CA certificates with the keytool command. For example, the following command removes the hypothetical examplecomca2 certificate from the truststore:

keytool \
-delete \
-keystore /path/to/openidm/security/truststore \
-storepass changeit \
-alias examplecomca2

Repeat the process for all root CA certificates that are not used in your deployment.

On Windows systems, you can manage certificates with the Microsoft Management Console (MMC) snap-in tool. For more information, see Working With Certificates in the Microsoft documentation.

Read a different version of :