If you are writing a Java or grails application and want to consume https web service or download something over SSL you may need to add the certificate manually to the keystore.
If your web service does not have properly signed certificate (like self signed ones) then you have no choice. Libraries may throw exception and you wont be able to access the resources. But no fear there is an easy way to fix it and add any SSL certificate to local keystore.
How to download SSL certificate from HTTPS hosted page / web service
Before you add certificate exception and import it into JAVA keystore you first need to download the certificate from remote web server. There is a very easy way (which i found somewhere long time ago).
openssl s_client -connect HOSTNAME:PORTNUM 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > certfile.txt
Before running the command replace host name and port number to point to the SSL service you want to extract certificate from.
How to add certificate to the JAVA keystore
On my MacOSX (which i really don't enjoy working with) has a super duper special Apple java so many things are working differently. Keystore file is located in:
/Library/Java/Home/lib/security/cacerts it could also be named jssecacerts or located in: $JAVA_HOME/lib/security/cacerts
Once you find it run following command to add the certificate:
sudo $JAVA_HOME/bin/keytool -import -alias "somealias" -file certfile.txt -keystore /Library/Java/Home/lib/security/cacerts
You will aslo asked for password to the keystore which by default is:
Then if you are sure you want to add it. Results will look more or less like this:
Enter keystore password: Owner: CN=DUBWSC00, OU=Sun GlassFish Enterprise Server, O=Sun Microsystems, L=Santa Clara, ST=California, C=US Issuer: CN=DUBWSC00, OU=Sun GlassFish Enterprise Server, O=Sun Microsystems, L=Santa Clara, ST=California, C=US Serial number: 4c35eb72 Valid from: Thu Jul 08 16:14:58 IST 2010 until: Sun Jul 05 16:14:58 IST 2020 Certificate fingerprints: MD5: E6:C7:30:F2:9B:67:5B:5A:8B:E4:39:D9:6B:7F:DB:72 SHA1: 04:AF:F7:01:02:FC:7B:04:A6:04:F5:A5:E0:9B:9A:B7:D1:67:AA:1B Signature algorithm name: SHA1withRSA Version: 3 Extensions: #1: ObjectId: 22.214.171.124 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: AC DB 8A AA D3 B7 94 E1 5E 1A 43 E4 D0 4C 56 38 ........^.C..LV8 0010: 19 ED 90 8E .... ] ] Trust this certificate? [no]: yes
That is all
About the author
Hi, my name is Artur Ejsmont,
welcome to my blog. I am a passionate software engineer living in Sydney and working for Yahoo!
If you are into technology, you can order my book Web Scalability for Startup Engineers on Amazon. I would love to hear what are your thoughts so please feel free to drop me a line or leave a comment.