Montag, 27. April 2015

Script for grabbing a root ca cert of a website

If you are using self signed certs or you are using certs, which are not part of the standard cacerts of your JDK you need to get the root ca cert from the desired website. To do so you might use the following script:

#!/bin/bash
ADDRESS=$1
echo -n | openssl s_client -connect $ADDRESS:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ./$ADDRESS.cert 



now you should have a cert file, which you could easily add to your cacert file of the jdk with this command:


keytool -importcert -alias startcom -file $ADDRESS.cert -keystore cacerts -storepass changeit

cacerts is located in JAVA_HOME/jre/lib/security (i.e. Mac OSX /Library/Java/JavaVirtualMachines/jdkX.X.X_XX.jdk/Contents/Home/jre/lib/security/cacerts)

This command adds your cert to the cacerts of the jdk and allows any java app using the jdk to connect via ssl to the desired website. Downsite of this trick is if you move to another server or workstation you might always need to patch the cacerts with your cert. 
So the best way is to prepare a keystore with your add on certs and add it to the Java System property

-Djavax.net.ssl.keyStore=/tmp/mykeystore.jks
or even in your Java Code by using System.setProperty. This will ensure that your java prog uses trusts the certs you want to trust.