consume http services with self-signed or rare ssl certificates, selfsigned, cacert

consume http services with self-signed or rare ssl certificates - java solution.md

quickly explanation

• get the certificate of http service using any method
• load this certificate into your jdk cacert (usually /foo/jdk_home/jre/lib/security/cacerts)
• point your java code to this cacert

System.setProperty("javax.net.ssl.trustStore", "/foo/jdk_home/jre/lib/security/cacerts");
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");

challenges

• sometimes is hard to get the certificate. In this case you could use openssl to extract the certificate from the url or ip:port :

  • https://stackoverflow.com/questions/7885785/using-openssl-to-get-the-certificate-from-a-server
  • https://www.baeldung.com/linux/ssl-certificates

• the extracted certificate cannot be directly loaded into the jdk cacert. In this case if you have the certificate type A but the cacert needs a type B, you need to converted them

  • https://knowledge.digicert.com/solution/SO26449.html

Steps

load this certificate into your jdk cacert

https://stackoverflow.com/questions/4325263/how-to-import-a-cer-certificate-into-a-java-keystore

# linux
keytool -importcert -file certificate.cer -keystore keystore.jks -alias "Alias" 

# windows
keytool -importcert -file D:\foo\bar\acme.cer -keystore C:\foo\bar\openjdk-xyz\jre\lib\security\cacerts -alias "acme service"