Nuxeo Server

Trust Store and Key Store Configuration

Updated: December 21, 2017 Page Information Edit on GitHub


When Nuxeo communicates with other servers through network APIs, and you want these communications to be secured, you may need to add authentication certificates to your key store (all the certificates known to the JVM) and trust store (all the certificates that the JVM trusts) because:

  • establishing a connection may require (depending on the remote server configuration) to present a local certificate to the remote server, so that it knows the Nuxeo server is legitimate,
  • the remote server may present a certificate signed by a certification authority (or a self-signed certificate) not known by the standard Java trust store.

The Key Store will contain all the keys needed by the JVM to be authenticated to a remote server.

If you set a custom trust store with your authorities exclusively, Marketplace, Studio and hot fix distribution integration will not work anymore since these servers expose certificates available in the default trust store. So we suggest that you add your certificates to the default trust store.

Static Trust Store and Key Store

To set up the trust store and key store statically, you just have to add the following system properties to Java:

What for Parameter name Comment
Trust Store Path
Trust Store Password
Trust Store Type JKS for instance
Key Store Path
Key Store Password  

For instance you can add the following parameters to your JAVA_OPTS:



Adding Your Certificates into the Default Trust Store

You will find the default trust store shipped with your JVM in:


For instance on macOS, it could be:


By default the password for this Trust Store is "changeit".

So to add your certificates to the default trust store:

  1. Copy the default trust store.
  2. Launch the following command line to add your certificate to the default trust store copy:

    keytool -import -file /path/to/your/certificate.pem -alias NameYouWantToGiveOfYourCertificate -keystore /path/to/the/copy/of/the/default/truststore.jks -storepass changeit
  3. Set the trust store copy as your statically.

  4. Restart your Nuxeo instance.


If your Nuxeo instance cannot access Connect anymore, or the Marketplace and Hot Fixes are no longer automatically available (through the Update Center for instance), this can mean that the trust store does not contain the certificates from the authority that signed Nuxeo Servers certificates.

If you have the following error in your logs during the connection establishment: PKIX path building failed: unable to find valid certification path to requested target

It means that the remote certificate is not trusted.

The following messages mean there is no trust store or key store set for your JVM:

java.lang.RuntimeException: Unexpected error: the trustAnchors parameter must be non-empty

or Error constructing implementation (algorithm: Default, provider: SunJSSE, class:

This means you must have broken at least the default configuration.

If you have one of the following error, the remote server has been trusted but it asks for authentication and there is no key for that:

Received fatal alert: handshake_failure


Remote host closed connection during handshake

The following error can mean that the set key store is not available: Error constructing implementation (algorithm: Default, provider: SunJSSE, class:
a month ago manonlumeau FG review
a month ago Manon Lumeau add tags for doc days
2 months ago manonlumeau Added content-review-lts2017 label
3 months ago manonlumeau NXDOC-1346-FT review screenshot
2 years ago Manon Lumeau 4
3 years ago Solen Guitter 3
5 years ago Solen Guitter 1
5 years ago Solen Guitter 2 | Migrated to Confluence 4.0
History: Created by Solen Guitter