Scenario

You want to fetch an XML file originating from a remote, HTTPS/SSL-secured server, which uses a certificate signed by a CA unknown to your standard JDK install. That requires you to install a local copy of said certificate on your system. You don't have access to the server other than across HTTP/HTTPs. Your browser doesn't support saving of certificates (i.e. Safari & Firefox on Mac). Where do you go from here?

Thanks

manojk, quasi, qubix, tim, twl, tcollen for various tips and hints that helped me along my quest.

How-To

Downloading a local copy of the certificate

Make sure you have OpenSSL installed. Get it from source or a precompiled one for Windows. Using s_client, you're going to download the certificate from the server:

openssl s_client -connect www.server.com:443

That will print the certificate's public key for you, looking similar to this:

{{{

BEGIN CERTIFICATE

MIIC+DCCAmGgAwIBAgILAQAAAAAA993JflYwDQYJKoZIhvcNAQEFBQAwaTELMAkG A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExGTAXBgNVBAsTEFNl Y3VyZSBTZXJ2ZXIgQ0ExJDAiBgNVBAMTG0dsb2JhbFNpZ24gU2VjdXJlIFNlcnZl ... KKAmhiRodHRwOi8vY3JsLmdsb2JhbHNpZ24ubmV0L3NlcnZlci5jcmwwDQYJKoZI hvcNAQEFBQADgYEAPjHjvyN83KNGqoletp9JEmu+nGBlHkPveYj/tob6GAwNqT/l 8D+9905gFpCGG6KRg+xkTsEM4dkxM/yriF2N76wlkbqxhquVUl/ie85hST2p1aS3 b0pGltHQlsaSBsz9MHbZzClw6sBk7L3HDvmiGwTH/2hDQpfI7wVF4LwUzXU=

END CERTIFICATE

}}}

Copy this into a file, i.e. hostcert.crt.

Looking at your certificate

If you fancy taking a look at what is ciphered into this blob of encoded stuff, use:

openssl x509 -noout -text -in hostcert.crt

Here's what you get:

{{{Certificate:

• Data:
  • Version: 3 (0x2) Serial Number:
    • 01:00:00:00:00:00:f7:dd:c9:7e:56
    Signature Algorithm: sha1WithRSAEncryption

    Issuer: C=BE, O=GlobalSign nv-sa, OU=Secure Server CA, CN=GlobalSign Secure Server CA Validity

    • Not Before: Sep 26 12:04:49 2003 GMT Not After : Sep 26 12:04:49 2006 GMT
    Subject: C=BE, ST=..., L=..., O=..., CN=... Subject Public Key Info:
    • Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit)
      • Modulus (1024 bit):
        • 00:b0:89:6b:c9:b9:ff:14:e4:68:ee:31:d5:f6:77: 3e:d8:34:a1:e0:77:e6:38:69:e0:d2:a3:61:70:b1: 98:68:87:ab:3a:36:4e:ca:df:21:91:3d:0e:2e:78: d6:0e:6c:5c:bb:6a:e5:3c:a6:e4:b5:4e:d0:7d:06: 38:4e:c8:c1:a3:bc:76:85:05:fd:37:9d:db:76:8f: bf:d3:c1:a2:16:a1:59:88:37:e8:66:54:63:b8:9c: bf:ad:88:09:3e:bf:df:8d:64:0c:67:2e:81:9a:9f: ba:2f:50:14:7a:45:7a:16:9f:40:28:ba:78:9a:67: f9:bc:4a:13:3c:44:08:01:1f
        Exponent: 65537 (0x10001)
    X509v3 extensions:
    • Netscape Cert Type: SSL Server X509v3 Key Usage: critical Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment X509v3 Authority Key Identifier:

      keyid:85:AE:4B:9E:EB:65:2C:DD:FC:FD:C2:B3:E6:03:31:C6:85:54:31:32 X509v3 CRL Distribution Points:

      URI:http://crl.globalsign.net/server.crl

  Signature Algorithm: sha1WithRSAEncryption
  • 3e:31:e3:bf:23:7c:dc:a3:46:aa:89:5e:b6:9f:49:12:6b:be: 9c:60:65:1e:43:ef:79:88:ff:b6:86:fa:18:0c:0d:a9:3f:e5: f0:3f:bd:f7:4e:60:16:90:86:1b:a2:91:83:ec:64:4e:c1:0c: e1:d9:31:33:fc:ab:88:5d:8d:ef:ac:25:91:ba:b1:86:ab:95: 52:5f:e2:7b:ce:61:49:3d:a9:d5:a4:b7:6f:4a:46:96:d1:d0: 96:c6:92:06:cc:fd:30:76:d9:cc:29:70:ea:c0:64:ec:bd:c7: 0e:f9:a2:1b:04:c7:ff:68:43:42:97:c8:ef:05:45:e0:bc:14: cd:75}}}

Import your key into your Java keystore

Create a keystore to use

keytool -genkey

keytool comes with JDK-1.4.x. Questions will be asked:

{{{Enter keystore password: yourpwd What is your first and last name?

• [Unknown]: Your Name

What is the name of your organizational unit?

• [Unknown]: ...

What is the name of your organization?

• [Unknown]: ...

What is the name of your City or Locality?

• [Unknown]: ...

What is the name of your State or Province?

• [Unknown]: ...

What is the two-letter country code for this unit?

• [Unknown]: BE

Is CN=Your Name, OU=..., O=..., L=..., ST=..., C=BE correct?

• [no]: yes

Enter key password for <mykey>

• (RETURN if same as keystore password): }}}

=== Import ===hostcert.crt into your keystore

keytool -storepass yourpwd -alias alias_1 -import -file hostcert.crt

That will ask for confirmation and store the public key with an alias 'alias_1' into ~/.keystore on Unix-y systems.

Teaching your JDK what keystore to use

The JVM takes a system parameter to parameterize the location of the keystore (it defaults to $JAVA_HOME/jre/lib/security/cacerts). With Cocoon and its built-in Jetty, just use export JAVA_OPTIONS=-Djavax.net.ssl.trustStore=/home/user/.keystore to add the variable to your environment.

That's all! -- StevenNoels

Your comments