Using openssl to test an SSL connection to google.com, using a CA file that's been pulled out from a Java keystore. For those days when you want to verify that you've got the right certificate in the store:
- Download the Equifax root certificate (which is the root CA for Google)
- Import the certificate into a new Java keystore
- Export the certificate back out again
- Convert the certificate to PEM
- Use
opensslto test an SSL connection to Google with that cert
Simulate the process of downloading a root certificate and adding into a Java truststore:
curl -o equifax.pem https://knowledge.geotrust.com/library/VERISIGN/INTERNATIONAL_AFFILIATES/GeoTrust/Equifax_Secure_Certificate_Authority.pem
keytool -import -trustcacerts -alias equifax -file equifax.pem -keystore truststore.jks -storepass changeit
Then, pull out the cert, convert to PEM and make a test connection to google.com:
keytool -export -alias equifax -file equifax-out.der -keystore truststore.jks -storepass changeit
openssl x509 -inform der -in equifax-out.der -out equifax-out.pem
openssl s_client -showcerts -servername www.google.com -connect www.google.com:443 -CAfile equifax-out.pem
openssl should display the following:
CONNECTED(00000003)
depth=3 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
verify return:1
depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
verify return:1
depth=1 /C=US/O=Google Inc/CN=Google Internet Authority G2
verify return:1
depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
verify return:1
https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html
-Djavax.net.ssl.trustStore=/opt/eap/standalone/configuration/security/cacerts -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.trustStoreType=JKS
-Djavax.net.debug=ssl,handshake
-Djava.security.debug=certpath,provider