Monday, May 12, 2008

Java and self-signed SSL certificates

It is very common in test environments to employ self-signed SSL certificates in HTTP servers (e.g., Apache HTTPD, Tomcat) rather than certificates issued by trusted commercial Certification Authorities. When trying to open a SSL connection to a host using a self-signed SSL certificate, however, the JSSE throws the following exception:
javax.net.ssl.SSLHandshakeException: (...)
unable to find valid certification path to requested target

Andreas Sterbenz provides a very nice guide that shows you how to add a self-signed SSL certificate to the keystore with your app's trusted certificates. It basically comes down to 4 steps:
  1. Use his InstallCert java program to make a request to the host with the SSL certificate you want to trust. Assuming the host address "somehost.com" and the port for the SSL connection is "8443", you should compile the InstallCert.java file and execute it with these parameters:
    java InstallCert somehost.com:8443
  2. Following the instructions on the guide, after the exception you should receive a list of SSL certificates from the host. If you decide to trust one of them, pick the number corresponding to that certificate.
  3. If you picked one of the available certificates, the InstallCert program will generate a file called jssecacerts on the directory where you executed the program.
  4. To use the newly added certificate when establishing SSL connections to "somehost.com", add the following line your java application:
    System.setProperty("javax.net.ssl.trustStore", "path/to/jssecacerts");

    where "path/to/" represents the full path to your jssecacerts file
And that's it! Now you can try creating an HttpClient and performing an HTTP/GET operation to see it working :-)
Posted by at
Labels: , , , , , ,

4 comments:

Unknown said...

Hi there,

If you're running Java in MacOS X, I guess you can simply add the certificates to your user/system keychain, and set the trust level to always trust. There is a bunch of other security related options you can access at the "Java Preferences" utility at "Application/Utilities".

May 13, 2008 at 12:49 AM
b said...

Thanks, Drebes!

Unfortunately, I was running a linux distribution with access only to a text-based browser, so it didn't give me the option to accept the certificate :-(

May 14, 2008 at 10:46 AM
Å®çåñë ĉåñţïçłξ said...

Yeah, it's uber-simple on OS X ... and you can even get it to do "tricks" with keychain scripting utility =)

May 21, 2008 at 3:13 PM
Carol said...

Ô Joana, obrigada.
Acho que pelo visto vou acabar fazendo algumas para uso próprio mesmo.
E quem sabe alguém se interesse por elas, né?
Achei bem ridículo pessoas querendo lucrar TANTO com algo que objetivo deveria ser outro.
Enfim, vamos ver no que vai dar.
Quando eu fizer alguma, posto por lá! ;)

ps - legal saber que tu também é de poa.

August 27, 2008 at 5:57 PM

Post a Comment

Subscribe to: Post Comments (Atom)