IntelliJ IDEA 2023.3 Help

Trusted root certificates

Trusted certificates establish a chain of trust that verifies other certificates signed by the trusted roots — for example, to establish a secure connection to a web server.

IntelliJ IDEA gets the list of trusted root certificates from the system trust store and its storage is customizable from IntelliJ IDEA settings.

If the enterprise environment in which you are working uses custom certificates, IntelliJ IDEA trusts such certificates by default. No additional configuration is required.

Upon the certificate checking, IntelliJ IDEA also checks the system trust stores for Windows, macOS, and Linux.

How it works under the hood

Under Linux, all certificates in .crt (PEM) format from the following locations are imported:

  • /etc/ssl/certs/*

  • /etc/pki/tls/certs/*

  • /system/etc/security/cacerts/*

  • /etc/ssl/certs/ca-certificates.crt

  • /etc/pki/tls/certs/ca-bundle.crt

  • /etc/ssl/ca-bundle.pem

  • /etc/pki/tls/cacert.pem

  • /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

  • /etc/ssl/cert.pem

For more information, refer to the JetBrains Linux Trusted Certificates library.

Under macOS X, the code calls system functions to get system-wide and user-specific custom trusted certificates.

For more information, refer to the JetBrains macOS Trusted Certificates library.

Under Windows, the code calls system functions to get system-wide, user-specific, or group-policy distributed trusted certificates.

For more information, refer to the JetBrains Windows Trusted Certificates library.

Logs and diagnostics

In case you've encountered a problem with certificates, you can quickly troubleshoot it by enabling the following debug categories:

  • org.jetbrains.nativecerts

  • #com.intellij.util.net.ssl

Collect additional logs in IntelliJ IDEA

  1. In the main menu, go to Help | Diagnostic Tools | Debug Log Settings.

  2. In the dialog that opens, add the debug categories and click OK to save the changes.

    Custom Debug Log Configuration
  3. Reproduce the issue.

  4. Go to Help | Collect Logs and Diagnostic Data to collect logs.

    Send the logs to our support along with the problem detailed description and a scenario to reproduce it.

Locate the IDE log files

  • Go to Help | Show logs in Finder. This menu item depends on the OS you are using. For example, for Windows, it would be Show logs in Explorer.

    The log file is named idea.log and is rotated based on the file size. When attaching logs to your problem report, it's recommended that you archive (.zip) and send several latest log files (idea.log, idea.log.1, idea.log.2, idea.log.3).

    You can also use the Collect Logs and Diagnostic Data option to generate the .zip file with all the log files (including the build logs and the automatic thread dumps).

Certificates manual installation

If you use a proxy server that decrypts all TLS traffic like mitmproxy or fiddler, you may import its self-signed certificate to the system so all applications on the local machine will trust it (including IntelliJ IDEA). However, this is potentially insecure since you can impersonate any Website with a private key from that certificate.

After you've generated the certificate, use one of the following procedures to add it to the trust store:

Install root certificate

  1. Generate the certificate in the .crt (PEM) format.

  2. Add the certificate to the one of the listed directories.

    For example, you can use /etc/ssl/certs/ or /etc/pki/tls/certs/.

Install root certificate

  1. Open up Keychain Access by searching it on Spotlight (click the Magnifying glass located in the upper right corner).

  2. Select File | Import Items and navigate to the downloaded file.

  3. In the Destination Keychain field, select System and click Open.

  4. Right-click the certificate in Keychain Access and select Get Info.

  5. Expand the Trust section and under When using this certificate, select Always Trust.

Install root certificate

  1. Click Start, click Start Search, type mmc, and then press Enter.

  2. Click Yes if you get the UAC screen and prompted about changes to your computer.

  3. In the File menu, select Add/Remove Snap-in.

  4. Under Available snap-ins, click Certificates, and then click Add.

  5. Under This snap-in will always manage certificates for, click Computer account, and then click Next.

  6. Click Local computer, and click Finish.

  7. If you have no more snap-ins to add to the console, click OK to return to the Console root screen.

  8. In the console tree, double-click Certificates.

  9. Right-click the Trusted Root Certification Authorities store.

  10. Select All Tasks | Import to import the certificates and follow the steps in the Certificate Import Wizard.

Last modified: 19 March 2024