SSL, Certificates and Java

by Michael

For Java to be able to carry out secured communication, one must first make sure that the certificate associated with the endpoint is stored in the Java keystore. If you don’t have the certificate stored in the keystore, you’re likely to run into error messages similar to the following:

javax.net.ssl.SSLHandshakeException
sun.security.provider.certpath.SunCertBuilderException

To find the current keystore type:

locate cacerts 

You’ll probably get more than one result, but the one that is of most interest is the folder that resides inside the Java JRE folder, e.g.,

/usr/lib/jvm/java-6-sun-1.6.0.16/jre/lib/security/cacerts

To see all installed certificates type (keystore password: changeit):

keytool -list -keystore /usr/lib/jvm/java-6-sun-1.6.0.16/jre/lib/security/cacerts

How to add a certificate
Lets assume that we would like to communicate with the following soap endpoint

https://example.org/api/soap/service

whose wsdl can be found at

https://example.org/api/soap/service?wsdl
  1. First, lets use Firefox (or any web browser capable of handling certificates) to browse to the wsdl. On the way there, we should get some notification about a certificate being used. After a bit of clicking, we should see the wsdl (an xml file – “view source” to see it).
  2. Now left-click on the “secure” icon on the left of the address bar and choose “More information” -> “View Certificate” -> “Details” -> “Export”. Choose to save the certificate with (DER) encoding. Lets assume you save the certificate to /tmp/security/example.cer.
  3. Now we want to add this certificate to our Java keystore. Use the following command:
    keytool -import -alias example -keystore /usr/lib/jvm/java-6-sun-1.6.0.16/jre/lib/security/cacerts -file /tmp/security/example.cer

You should now be able to use the service without getting the above exceptions.

Advertisements