-
Notifications
You must be signed in to change notification settings - Fork 12
Adding a Certificate into the Java Certificate Store
jkandasa edited this page Jan 18, 2013
·
1 revision
If we use SSL we need to install a security certificate for authentication to work for certain services that are accessed by our java application that requirement a secure connection. The InstallCert.java code is found mostly on Sun blogs. I have copied the same locally here, Follow the steps to include our SSL into our jre lib,
Get a InstallCert.java file from here
Run InstallCert.java, with your hostname and https port, and press "Enter" when ask for input. It will add your "host" as a trusted keystore, and generate a file named "jssecacerts".
[jkandasa@jkandasa tmp]$ javac InstallCert.java
[jkandasa@jkandasa tmp]$ java InstallCert mercury.lab.eng.pnq.redhat.com:8080
Loading KeyStore /NotBackedUp/applications/jdk1.6.0_26/jre/lib/security/cacerts...
Opening connection to mercury.lab.eng.pnq.redhat.com:8080...
Starting SSL handshake...
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1649)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1206)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:136)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:893)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1138)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1165)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1149)
at InstallCert.main(InstallCert.java:97)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:323)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:217)
at sun.security.validator.Validator.validate(Validator.java:218)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
at InstallCert$SavingTrustManager.checkServerTrusted(InstallCert.java:192)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1198)
... 8 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:318)
... 14 more
Server sent 1 certificate(s):
1 Subject CN=mercury.lab.eng.pnq.redhat.com, OU=JBOSS Operations Network, O=Red Hat, L=Bangalore, ST=Karnataka, C=IN
Issuer CN=mercury.lab.eng.pnq.redhat.com, OU=JBOSS Operations Network, O=Red Hat, L=Bangalore, ST=Karnataka, C=IN
sha1 ff c8 b1 91 74 05 59 2c 11 91 c0 64 b5 2b 01 84 e0 f0 8b 31
md5 fe d7 96 7c f9 7d 09 1a d0 d3 85 b9 39 a8 b3 18
Enter certificate to add to trusted keystore or 'q' to quit: [1]
[
[
Version: V3
Subject: CN=mercury.lab.eng.pnq.redhat.com, OU=JBOSS Operations Network, O=Red Hat, L=Bangalore, ST=Karnataka, C=IN
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 1024 bits
modulus: 161187556776513729382881565459404136963270685205577309875723281816004984714274861602774548209683036348667383220924578329903549794155523913749361386287829653820474629732490671528243636421729677959576494922581747078979013519385016759456341213592937407978447712527493863519381088470146984632576065706365860531819
public exponent: 65537
Validity: [From: Sat Dec 29 19:42:30 IST 2012,
To: Tue Dec 29 19:42:30 IST 2015]
Issuer: CN=mercury.lab.eng.pnq.redhat.com, OU=JBOSS Operations Network, O=Red Hat, L=Bangalore, ST=Karnataka, C=IN
SerialNumber: [ 5037b1d0]
Certificate Extensions: 1
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 79 06 B9 60 0B 04 10 7A 58 A3 D8 75 DA 74 73 DE y..`...zX..u.ts.
0010: AC B8 37 B4 ..7.
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 95 5B 76 F8 E7 BA B8 E2 36 84 17 61 BC 9F F6 6A .[v.....6..a...j
0010: E4 1B 93 56 D1 05 51 78 F9 27 52 EF 0A 94 14 AF ...V..Qx.'R.....
0020: 3C F0 7C EC 69 78 25 56 6E 51 A1 22 D7 CF 36 9D <...ix%VnQ."..6.
0030: A1 2E ED 24 D4 3B 9D 48 55 D7 86 5B 41 E5 2B B2 ...$.;.HU..[A.+.
0040: F2 D5 3B 36 F9 40 4E B8 64 3C 6B 0A 07 EC B1 FE ..;[email protected]<k.....
0050: 6F C8 7C 39 22 2A 79 E6 C0 1F BA 4F 64 DD 0D 72 o..9"*y....Od..r
0060: 4A 07 8F 2C FC 17 73 B0 E5 72 BD 5B B1 62 3A 2F J..,..s..r.[.b:/
0070: 29 2F 7E B9 B9 B6 B3 9E 0E C8 72 B9 5B 6A E0 65 )/........r.[j.e
]
Added certificate to keystore 'jssecacerts' using alias 'mercury.lab.eng.pnq.redhat.com-1'
[jkandasa@jkandasa tmp]$
Verify Trusted Keystore Try run the InstallCert command again, the connection should be ok now.
[jkandasa@jkandasa tmp]$ java InstallCert mercury.lab.eng.pnq.redhat.com:8080
Loading KeyStore jssecacerts...
Opening connection to mercury.lab.eng.pnq.redhat.com:8080...
Starting SSL handshake...
No errors, certificate is already trusted
Server sent 1 certificate(s):
1 Subject CN=mercury.lab.eng.pnq.redhat.com, OU=JBOSS Operations Network, O=Red Hat, L=Bangalore, ST=Karnataka, C=IN
Issuer CN=mercury.lab.eng.pnq.redhat.com, OU=JBOSS Operations Network, O=Red Hat, L=Bangalore, ST=Karnataka, C=IN
sha1 ff c8 b1 91 74 05 59 2c 11 91 c0 64 b5 2b 01 84 e0 f0 8b 31
md5 fe d7 96 7c f9 7d 09 1a d0 d3 85 b9 39 a8 b3 18
Enter certificate to add to trusted keystore or 'q' to quit: [1]
[
[
Version: V3
Subject: CN=mercury.lab.eng.pnq.redhat.com, OU=JBOSS Operations Network, O=Red Hat, L=Bangalore, ST=Karnataka, C=IN
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 1024 bits
modulus: 161187556776513729382881565459404136963270685205577309875723281816004984714274861602774548209683036348667383220924578329903549794155523913749361386287829653820474629732490671528243636421729677959576494922581747078979013519385016759456341213592937407978447712527493863519381088470146984632576065706365860531819
public exponent: 65537
Validity: [From: Sat Dec 29 19:42:30 IST 2012,
To: Tue Dec 29 19:42:30 IST 2015]
Issuer: CN=mercury.lab.eng.pnq.redhat.com, OU=JBOSS Operations Network, O=Red Hat, L=Bangalore, ST=Karnataka, C=IN
SerialNumber: [ 5037b1d0]
Certificate Extensions: 1
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 79 06 B9 60 0B 04 10 7A 58 A3 D8 75 DA 74 73 DE y..`...zX..u.ts.
0010: AC B8 37 B4 ..7.
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 95 5B 76 F8 E7 BA B8 E2 36 84 17 61 BC 9F F6 6A .[v.....6..a...j
0010: E4 1B 93 56 D1 05 51 78 F9 27 52 EF 0A 94 14 AF ...V..Qx.'R.....
0020: 3C F0 7C EC 69 78 25 56 6E 51 A1 22 D7 CF 36 9D <...ix%VnQ."..6.
0030: A1 2E ED 24 D4 3B 9D 48 55 D7 86 5B 41 E5 2B B2 ...$.;.HU..[A.+.
0040: F2 D5 3B 36 F9 40 4E B8 64 3C 6B 0A 07 EC B1 FE ..;[email protected]<k.....
0050: 6F C8 7C 39 22 2A 79 E6 C0 1F BA 4F 64 DD 0D 72 o..9"*y....Od..r
0060: 4A 07 8F 2C FC 17 73 B0 E5 72 BD 5B B1 62 3A 2F J..,..s..r.[.b:/
0070: 29 2F 7E B9 B9 B6 B3 9E 0E C8 72 B9 5B 6A E0 65 )/........r.[j.e
]
Added certificate to keystore 'jssecacerts' using alias 'mercury.lab.eng.pnq.redhat.com-1'
[jkandasa@jkandasa tmp]$
Copy jssecacerts Copy the generated "jssecacerts" file to your "$JAVA_HOME/jre/lib/security" folder. Run your web service client again, it should be working now.