Scenario

You want to fetch an XML file originating from a remote, HTTPS/SSL-secured server, which uses a certificate signed by a CA unknown to your standard JDK install. That requires you to install a local copy of said certificate on your system. You don't have access to the server other than across HTTP/HTTPs. Your browser doesn't support saving of certificates (i.e. Safari & Firefox on Mac). Where do you go from here?

Thanks

manojk, quasi, qubix, tim, twl, tcollen for various tips and hints that helped me along my quest.

How-To

Downloading a local copy of the certificate

Make sure you have OpenSSL installed. Get it from source or a precompiled one for Windows. Using s_client, you're going to download the certificate from the server:

openssl s_client -connect www.server.com:443

That will print the certificate's public key for you, looking similar to this:

{{{


BEGIN CERTIFICATE


MIIC+DCCAmGgAwIBAgILAQAAAAAA993JflYwDQYJKoZIhvcNAQEFBQAwaTELMAkG A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExGTAXBgNVBAsTEFNl Y3VyZSBTZXJ2ZXIgQ0ExJDAiBgNVBAMTG0dsb2JhbFNpZ24gU2VjdXJlIFNlcnZl ... KKAmhiRodHRwOi8vY3JsLmdsb2JhbHNpZ24ubmV0L3NlcnZlci5jcmwwDQYJKoZI hvcNAQEFBQADgYEAPjHjvyN83KNGqoletp9JEmu+nGBlHkPveYj/tob6GAwNqT/l 8D+9905gFpCGG6KRg+xkTsEM4dkxM/yriF2N76wlkbqxhquVUl/ie85hST2p1aS3 b0pGltHQlsaSBsz9MHbZzClw6sBk7L3HDvmiGwTH/2hDQpfI7wVF4LwUzXU=


END CERTIFICATE


}}}

Copy this into a file, i.e. hostcert.crt.

Looking at your certificate

If you fancy taking a look at what is ciphered into this blob of encoded stuff, use:

openssl x509 -noout -text -in hostcert.crt

Here's what you get:

{{{Certificate:

Import your key into your Java keystore

Create a keystore to use

keytool -genkey

keytool comes with JDK-1.4.x. Questions will be asked:

{{{Enter keystore password: yourpwd What is your first and last name?

What is the name of your organizational unit?

What is the name of your organization?

What is the name of your City or Locality?

What is the name of your State or Province?

What is the two-letter country code for this unit?

Is CN=Your Name, OU=..., O=..., L=..., ST=..., C=BE correct?

Enter key password for <mykey>

=== Import ===hostcert.crt into your keystore

keytool -storepass yourpwd -alias alias_1 -import -file hostcert.crt

That will ask for confirmation and store the public key with an alias 'alias_1' into ~/.keystore on Unix-y systems.

Teaching your JDK what keystore to use

The JVM takes a system parameter to parameterize the location of the keystore (it defaults to $JAVA_HOME/jre/lib/security/cacerts). With Cocoon and its built-in Jetty, just use export JAVA_OPTIONS=-Djavax.net.ssl.trustStore=/home/user/.keystore to add the variable to your environment.

That's all! -- StevenNoels


Your comments

HTTPsSources (last edited 2009-09-20 23:42:09 by localhost)