Java Security Certificates

Submitted by code_admin on Mon, 07/23/2018 - 11:19

Download and import a certificate to keystore - One Level

This imports the lowest level certificate in the chain

  1. CACERTS=/usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts
  2. HOST_TO_GET_CERT_FROM=dev.mylinkedthings.com
  3. PORT_TO_GET_CERT_FROM=5643
  4.  
  5. CERT_FILE=./${HOST_TO_GET_CERT_FROM}.cert
  6.  
  7. echo -n | openssl s_client -connect ${HOST_TO_GET_CERT_FROM}:${PORT_TO_GET_CERT_FROM} | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ${CERT_FILE}

To print the file you just downloaded:

  1. keytool -printcert -v -file ${CERT_FILE}

List all files in the store.
(default java password is changeit)

  1. keytool -list -v -keystore ${CACERTS}

Do the actual import:

  1. sudo keytool -import -trustcacerts -file ${CERT_FILE} -alias CA_ALIAS -keystore ${CACERTS}

Debugging:
If you get an ALIAS error try it with a different alias, e.g. CA_ALIAS2 etc.

View vertificate:

  1. openssl x509 -in ${CERT_FILE_ROOT} -noout -text

Download and import a certificate to keystore - Top Level

This picks out any certificate that we will need and this process is more manual.

  1. CACERTS=/usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts
  2. HOST_TO_GET_CERT_FROM=dev.mylinkedthings.com
  3. PORT_TO_GET_CERT_FROM=5643
  4.  
  5. CERT_FILE=./${HOST_TO_GET_CERT_FROM}.cert
  6. CERT_FILE_ROOT=./${HOST_TO_GET_CERT_FROM}_ROOT.cert
  7.  
  8. echo -n | openssl s_client -connect ${HOST_TO_GET_CERT_FROM}:${PORT_TO_GET_CERT_FROM} | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ${CERT_FILE}
  9. echo -n | openssl s_client -connect ${HOST_TO_GET_CERT_FROM}:${PORT_TO_GET_CERT_FROM} -prexit -showcerts

The above will output the lowest level file for comparison and then echo multiple certificates to the screen.

The second certificate will have something like:
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3

This is the higher level in the cert chain. Copy everything from this cert including the BEGIN and END then run:

  1. vi ${CERT_FILE_ROOT}

Paste and save

Import to the java keytool:

  1. sudo keytool -import -trustcacerts -file ${CERT_FILE_ROOT} -alias CA_ALIAS -keystore ${CACERTS}

Debugging

https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-d…

  2.  
  3. java SSLPoke ${HOST_TO_GET_CERT_FROM} ${PORT_TO_GET_CERT_FROM}

Previous Method

Download a certificate. From chrome choose the option "DER encoded binary X.509 (.CER)"

  1. set JAVA_HOME="C:\Program Files\Java\jdk1.7.0_51"
  2.  
  3. Default trust store is changeit
  4.  
  5. "%JAVA_HOME%\bin\keytool" -list -v -keystore "%JAVA_HOME%/jre/lib/security/cacerts"
  6.  
  7.  
  8. set TOTEST="C:\Users\rjmetcal\Desktop\ifttt.cer"
  9. "%JAVA_HOME%\bin\keytool" -printcert -v -file "%TOTEST%"
  10.  
  11. Run as command prompt in admin mode to add the cert.
  12.  
  13. "%JAVA_HOME%\bin\keytool" -import -alias ca -file "%TOTEST%" -keystore "%JAVA_HOME%/lib/security/cacerts"
  14. or
  15. "%JAVA_HOME%\bin\keytool" -import -alias ca -file "%TOTEST%" -keystore "%JAVA_HOME%/jre/lib/security/cacerts"

Notes

Make sure it is added to the right cacerts file. If you are prompted to retype the password it is creating a new file.

Installing GoDaddy trust certificate on Raspberry Pi

  1. GODADDYROOTCERT=~/GODADDYROOTCERT.crt
  3. JAVAHOME=/usr/lib/jvm/jdk-8-oracle-arm-vfp-hflt/jre
  4. wget -O ${GODADDYROOTCERT} ${GODADDYURL}
  5. sudo ${JAVAHOME}/bin/keytool -import -alias ca -file ${GODADDYROOTCERT} -keystore ${JAVAHOME}/lib/security/cacerts
  6. rm ${GODADDYROOTCERT}

Install random cert on Raspberry Pi

  1. HOST=yearbook-wireless.lan:8080
  2. ALAIS=yearook_key
  3. CERTFILE=~/cert.cert.rjmtmp.crt
  4. JAVAHOME=/usr/lib/jvm/jdk-8-oracle-arm-vfp-hflt/jre
  5. echo | openssl s_client -connect ${HOST} 2>/dev/null | openssl x509
  6. (echo | openssl s_client -connect google.com:443 2>/dev/null | openssl x509) > ${CERTFILE}
  7. sudo ${JAVAHOME}/bin/keytool -import -alias ${ALAIS} -file ${CERTFILE} -keystore ${JAVAHOME}/lib/security/cacerts

enter password changeit

  1. rm ${CERTFILE}

Manual windows install cert in a JRE

Use Chrome and export the cert as Base-64 encoded X.509

File will have -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----

cacerts file will be in jre location. e.g. C:\Program Files\Java\jre8\lib\security\cacerts

  1. SET CACERTS="C:\Program Files\Java\jre8\lib\security\cacerts"
  2. SET CERT_FILE_ROOT="C:\off_desk\downloads\XXX.cer"

Import to the java keytool:

Password is changeit
you need an admin command terminal

  1. keytool -import -trustcacerts -file %CERT_FILE_ROOT% -alias CA_ALIAS -keystore %CACERTS%

Google Juice

cacert cacerts

Tags

RJM Article Type
Quick Reference