-
-
Save laurentpetit/e3b6d07cbc8b26373deb to your computer and use it in GitHub Desktop.
Make a SSL certificate visible to your app
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Since the server is using https, we need to: | |
1/ obtain the certificate from the server, | |
2/ add this certificate to java's default trusted store | |
3/ restart the server | |
1/ obtain the certificate from the server | |
Here's a recipe that can be used when you're stuck with the command-line, as is generally the case if you're configuring a server: | |
* Create the following file to help you get the certificate, let's name it `retrieve-cert.sh`: | |
#!/bin/sh | |
# | |
# usage: retrieve-cert.sh remote.host.name [port] | |
# | |
REMHOST=$1 | |
REMPORT=${2:-443} | |
echo |\ | |
openssl s_client -connect ${REMHOST}:${REMPORT} 2>&1 |\ | |
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | |
* Call the file with the IP of the server (let's say it's 10.235.246.123 for the example), the port (generally 443 for https), and send the output to some file, let's name it server.pem: | |
sh retrieve-cert.sh 10.235.246.123 443 > server.pem | |
2/ add this certificate to java's default trusted store | |
* each Java Development Kit installation (whose home directory is generally known as `${JAVA_HOME}`) has a default certificate trusted store, located in `${JAVA_HOME}/security/cacerts` | |
* and by default a JVM when started will load all the certificates present in this trusted store | |
* so you'll just type the following command, which will add the server's certificate located in file `server.pem` to this default trusted store: | |
JAVA_HOME=/path/to/your/java/home # e.g. for ubuntu it'll be /etc/java-6-sun | |
CERTIFICATE_ALIAS="some-alias-for-your-certificate-inside-the-trusted-store" | |
sudo ${JAVA_HOME}/bin/keytool -import -alias ${CERTIFICATE_ALIAS} -keystore ${JAVA_HOME}/security/cacerts -file server.pem | |
* the default password for the JDK's cacert keystore is `changeit` |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment