Handling Non-Trusted Certificates in IntelliJ IDEA | Generated by AI
The “Untrusted Server’s Certificate” dialog in IntelliJ IDEA often appears when the IDE encounters SSL certificates that aren’t trusted by its keystore, such as self-signed or custom corporate certificates. Since you’ve already imported your corporation’s keystore into /lib/cacerts but still see the prompt, the issue might stem from IntelliJ not using that keystore or additional certificates causing the dialog. Here’s how to address it and potentially stop the prompts:
Option 1: Configure IntelliJ to Accept Non-Trusted Certificates Automatically
Enabling this option tells IntelliJ to bypass the dialog for untrusted certificates, but be cautious as it reduces security by accepting all certificates, potentially exposing you to man-in-the-middle attacks.
- Windows/Linux:
- Go to
File > Settings > Tools > Server Certificates. - Check the box for “Accept non-trusted certificates automatically”.
- Click Apply and OK.
- Go to
- macOS:
Note: This is not recommended unless you’re in a trusted, isolated network (e.g., air-gapped corporate environment), as it can make your IDE vulnerable to unverified connections.
Option 2: Verify and Correct the Keystore Configuration
Since you’ve imported the corporate keystore into /lib/cacerts, ensure IntelliJ is using it correctly. The issue might be that IntelliJ is still referencing its own truststore or the wrong cacerts file.
- Check the Keystore Path:
- IntelliJ often uses its own truststore at
~/.IntelliJIdea<version>/system/tasks/cacertsor the JetBrains Runtime (JBR) truststore at<IntelliJ Installation>/jbr/lib/security/cacerts. - If you modified
/lib/cacertsin the IntelliJ directory, confirm it’s the correct path for your IDE version. For JetBrains Toolbox installations, the path might differ (e.g.,~/AppData/Local/JetBrains/Toolbox/apps/IDEA-U/ch-0/<version>/jbr/lib/security/cacertson Windows). - Use the
keytoolcommand to verify the certificate is in the cacerts file:keytool -list -keystore <path-to-cacerts> -storepass changeitEnsure your corporate CA certificate is listed.
- IntelliJ often uses its own truststore at
- Point IntelliJ to the Custom Keystore:
- If the certificate is correctly imported but IntelliJ still prompts, it might not be using the modified cacerts. Add a custom VM option to specify the truststore:
- Re-import the Certificate:
- If the certificate import was incomplete or incorrect, re-import it:
keytool -import -trustcacerts -file <certificate-file>.cer -alias <alias> -keystore <path-to-cacerts> -storepass changeitReplace
<certificate-file>.cerwith your corporate CA certificate and<path-to-cacerts>with the correct cacerts file path.
- If the certificate import was incomplete or incorrect, re-import it:
Option 3: Add Certificates via IntelliJ’s Server Certificates Settings
Instead of modifying the cacerts file manually, you can add certificates through IntelliJ’s UI, which stores them in its internal truststore:
- Go to
File > Settings > Tools > Server Certificates(orIntelliJ IDEA > Preferenceson macOS). - Click the ”+” button to add a new certificate.
- Browse to your corporate CA certificate file (in
.ceror.pemformat) and import it. - Restart IntelliJ to ensure the certificate is recognized.
Option 4: Check for Proxy or Antivirus Interference
Corporate environments often use proxies or antivirus software (e.g., Zscaler, Forcepoint) that perform man-in-the-middle SSL inspection, generating new certificates dynamically. This can cause repeated prompts if the certificates change frequently (e.g., daily, as with McAfee Endpoint Security).
- Import Proxy/Antivirus CA Certificate:
- Obtain the root CA certificate from your proxy or antivirus software (ask your IT team).
- Import it into IntelliJ’s truststore via
Settings > Tools > Server Certificatesor into the cacerts file using thekeytoolcommand above.
- Disable SSL Inspection (if possible):
- If your proxy allows, configure it to bypass SSL inspection for IntelliJ-related domains (e.g.,
plugins.jetbrains.com,repo.maven.apache.org).
- If your proxy allows, configure it to bypass SSL inspection for IntelliJ-related domains (e.g.,
Option 5: Debug and Identify Problematic Certificates
If the issue persists, identify which server or certificate is causing the prompt:
- Enable verbose SSL logging:
- Check for specific plugins or integrations:
- Plugins like Maven, Gradle, or version control systems (e.g., Git, SVN) may connect to servers with different certificates. Disable plugins temporarily to isolate the issue.
- For Maven, ensure the JDK configured in
File > Settings > Build, Execution, Deployment > Build Tools > Maven > Runneruses the updated cacerts.
Additional Notes
- Security Warning: Accepting non-trusted certificates automatically is convenient but risky in non-isolated networks. Only use this in trusted environments.
- System Time Sync: Ensure your system clock is synchronized, as a mismatch can cause certificate validation issues.
- JetBrains Runtime (JBR): IntelliJ runs on its own JBR, which may not use the system’s Java truststore. Changes to the system’s
$JAVA_HOME/lib/security/cacertswon’t affect IntelliJ unless explicitly configured. - Persistent Prompts: If prompts persist after importing the certificate, it could be due to a plugin or service (e.g., JFrog, SonarQube) using a different truststore. Check plugin settings or contact your IT team for the full certificate chain.
Recommended Approach
- Try Option 3 (add certificates via IntelliJ’s UI) first, as it’s the safest and most straightforward.
- If that fails, verify the keystore path and configuration with Option 2.
- Use Option 1 (auto-accept) only as a last resort in a trusted environment.
- If the issue involves a proxy or antivirus, work with your IT team to obtain and import the correct CA certificates.
If you still face issues, share details about the certificate (e.g., issuer, domain) or any error messages from the idea.log file, and I can help narrow it down further.