secret
Last active

Make a SSL certificate visible to your app

  • Download Gist
gistfile1.txt
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38
Since the server is using https, we need to:
1/ obtain the certificate from the server,
2/ add this certificate to java's default trusted store
3/ restart the server
 
 
1/ obtain the certificate from the server
 
Here's a recipe that can be used when you're stuck with the command-line, as is generally the case if you're configuring a server:
 
* Create the following file to help you get the certificate, let's name it `retrieve-cert.sh`:
 
#!/bin/sh
#
# usage: retrieve-cert.sh remote.host.name [port]
#
REMHOST=$1
REMPORT=${2:-443}
echo |\
openssl s_client -connect ${REMHOST}:${REMPORT} 2>&1 |\
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
 
* Call the file with the IP of the server (let's say it's 10.235.246.123 for the example), the port (generally 443 for https), and send the output to some file, let's name it server.pem:
 
sh retrieve-cert.sh 10.235.246.123 443 > server.pem
 
 
2/ add this certificate to java's default trusted store
 
* each Java Development Kit installation (whose home directory is generally known as `${JAVA_HOME}`) has a default certificate trusted store, located in `${JAVA_HOME}/security/cacerts`
* and by default a JVM when started will load all the certificates present in this trusted store
* so you'll just type the following command, which will add the server's certificate located in file `server.pem` to this default trusted store:
 
JAVA_HOME=/path/to/your/java/home # e.g. for ubuntu it'll be /etc/java-6-sun
CERTIFICATE_ALIAS="some-alias-for-your-certificate-inside-the-trusted-store"
sudo ${JAVA_HOME}/bin/keytool -import -alias ${CERTIFICATE_ALIAS} -keystore ${JAVA_HOME}/security/cacerts -file server.pem
* the default password for the JDK's cacert keystore is `changeit`

Please sign in to comment on this gist.

Something went wrong with that request. Please try again.