Tuesday, May 29, 2012

How to register SSL certificates in your JVM?

You wrote a Java program which needs to access to a external ressource through SSL (such as LDAPS or HTTPS)?

Okay, this post is for you.

The first thing you have to know is that the first time you established a secured connection to something, you (normally) have to accept the certificate used to encrypt the dialog. In apps with interaction with end users (such as a web browser), the user often see a popup which asks him to trust the certificate. But, if the secured connection is establised behind the scene  (without any possibility to show a popup to somebody, such in batch process apps), the certificate must be trusted before establishing the connection.

In Java, there's a wallet which contains trusted certificate. It is located in [JAVA_HOME]/jre/lib/security/cacerts

I explain here how to extract the public key of a SSL certificate and how to register is in the cacerts file.

Step 1 : let's extract the public key from a secured connection

We will use OpenSSL for that. Just run from a shell :
openssl s_client -connect [URL_TO_REACH]:443 > cert.pem

This will generate a file "cert.pem". Edit this file and remove the text before and after the certificate (You will understand while you will see it)

Step 2 : register the cert.pem in the cacerts wallet

There are four prerequisites to know :
  • the certificate has to be associated with a n alias in the wallet (and you will see that you will be able to remove it from the wallet by this alias later)
  • for unix users, you have to be root to register a certificate
  • the default password of the cacerts wallet is "changeit"
  • don't forget to restart your program after having registered the certificate
 To register your cert.pem, just do :
su -c "[JAVA_HOME]/jre/bin/keytool -import -alias [MY_CERT_ALIAS] -keypass changeit -keystore [JAVA_HOME]/jre/lib/security/cacerts -file cert.pem"
(Don't forget to replace [JAVA_HOME] and [MY_CERT_ALIAS] with your own values.

If you need to remove this certificate, just do :
su -c "[JAVA_HOME]/jre/bin/keytool -delete -alias [MY_CERT_ALIAS] -keypass changeit -keystore [JAVA_HOME]/jre/lib/security/cacerts"

That's all.

UPDATE (October 2016) : 

If you have an handshake failure, try this :

openssl s_client -tls1 -connect [URL_TO_REACH]:443 > cert.pem


Engineering Ebooks Download said...

Dollardoc is a premier place for publishing of Books, Documents and Presentations. It is right now the World’s fastest growing online publishing platform for the widest range of Books, documents and other kinds of social publications.

Eric said...

Thank you! This made what seemed like a daunting task much easier! I was able to successfully make the connection now.

rebeka christy said...

Thanks for sharing this informative blog. Those who want to become a certified unix professional reach FITA, Which offers best Unix Course in Chennai with years of experienced professionals.

dhanamlakshmi palu said...

Your posts is really helpful for me.Thanks for your wonderful post. I am very happy to read your post.
very nice !!!
CCNA training in chennai | CCNA training chennai | CCNA course in chennai | CCNA course chennai

general manager said...

Thanks for sharing this effective article,

Staff Ngeditblog said...

tempat nyari SSL murah ya di IDwebhost.com Cuman disini kamu bisa menemukan paket terbaik untuk hosting webkamu.

Savitha said...

Really awesome blog. Your blog is really useful for me. Thanks for sharing this informative blog. Keep update your blog.
Oracle Training In Chennai

Diya Patel said...

Best SAS Training Institute In Chennai It’s too informative blog and I am getting conglomerations of info’s about Oracle interview questions and answer .Thanks for sharing, I would like to see your updates regularly so keep blogging.

big data trunk1 said...

Thank you for sharing such great information !
big data classroom training
hadoop ónlinÉ training
free big data bootcamp

hadoop big data videos

Big data QA Tester training
Big data Analyst training

simashree said...

Thanks for the great information in your blog Selenium Training in Chennai

mythily mythu said...

Thanks for the great information in your blog.
android training in chennai

mythily mythu said...

Thank you for sharing such great information !
datamodeling training in chennai

chitharagu said...

Great man, Thank you for the blog sharing informative contents about SSL Certificate in Chennai.

sri krishna kumar said...

Your post is nice to read and thank to share this post
Mainframe Training In Chennai | Informatica Training In Chennai | Hadoop Training In Chennai

gkr ragini said...

I feel really happy to have seen your webpage and look forward to so many more entertaining times reading here. Thanks once more for all the details.digital marketing training in chennai

The SSL Street said...
This comment has been removed by the author.
The SSL Street said...

Thanks for sharing this information. SSL Certificates protect your customer's personal data including passwords, credit cards and identity information. Getting an SSL certificate is the easiest way to increase your customer's confidence in your online business.

Vikky cmd said...

Hello there! This is my first comment here, so I just wanted to give a quick shout out and say I genuinely enjoy reading your articles. Can you recommend any other blogs/websites/forums that deal with the same subjects? Thanks.

Hadoop Training in Chennai

Jai Prakash said...

Nice post.
Digital Marketing Course In Chennai
Digital marketing Courses

sofianan said...

Amazing post.Thanks for your details and explanations..I want more information from your side.Thank you
hr and payroll software in chennai

Rohini .R said...

Thanks for your information
Oracle training in rajajinagar

malini v said...

Oracle training in chennai
Thanks for detail explanation

john jersy said...

Write more; that’s all I have to say. It seems as though you relied on the video to make your point. You know what you’re talking about, why waste your intelligence on just posting videos to your blog when you could be giving us something enlightening to read?
Click here:
angularjs training in annanagar
Click here:
angularjs training in bangalore
Click here:
angularjs training in chennai
Click here:
angularjs training in velarchery
Click here:
angularjs training in sholinganallur

sai said...

Were a gaggle of volunteers as well as starting off a brand new gumption within a community. Your blog furnished us precious details to be effective on. You've got completed any amazing work!
Click here:
Microsoft azure training in marathahalli
Click here:
Microsoft azure training in bangalore
Click here:
Microsoft azure training in pune

gowsalya said...

Your good knowledge and kindness in playing with all the pieces were very useful. I don’t know what I would have done if I had not encountered such a step like this.
Devops Training in Chennai

Devops Training in Bangalore

Devops Training in pune

Mouni yoga said...

It is better to engaged ourselves in activities we like. I liked the post. Thanks for sharing.
Python training in btm
Python training in usa
Python training in marathahalli
AWS Training in chennai
AWS Training in bangalore

john jersy said...

Really nice experience you have. Thank you for sharing. It will surely be an experience to someone.
AWS Training in chennai
AWS Training in bangalore

johnsy sai said...

Thanks you for sharing this unique useful information content with us. Really awesome work. keep on blogging

DevOps online Training|DevOps Training in USA
Devops Training in Chennai

Devops Training in Bangalore

isai 14 said...

Well done! Pleasant post! This truly helps me to discover the solutions for my inquiry. Trusting, that you will keep posting articles having heaps of valuable data. You're the best! 
Blueprism training in tambaram

Blueprism training in annanagar

Blueprism training in velachery

Naga Manickam said...

Thank you for taking the time and sharing this information with us. It was indeed very helpful and insightful while being straightforward and to the point.
Data Science training in rajaji nagar | Data Science with Python training in chenni
Data Science training in electronic city | Data Science training in USA
Data science training in pune | Data science training in kalyan nagar

lenin christ said...

Just stumbled across your blog and was instantly amazed with all the useful information that is on it. Great post, just what i was looking for and i am looking forward to reading your other posts soon!
Data science course in tambaram | Data Science course in anna nagar
Data Science course in chennai | Data science course in Bangalore
Data Science course in marathahalli | Data Science course in btm

Avoid select min/max with Oracle

I hate select max clauses with Oracle. My company used to write subqueries which such expressions. It's slow and unreadable. Conditions ...