How to import self signed SSL certificate to Java keystore (adding https certificate)

If you are writing a Java or grails application and want to consume https web service or download something over SSL you may need to add the certificate manually to the keystore.

If your web service does not have properly signed certificate (like self signed ones) then you have no choice. Libraries may throw exception and you wont be able to access the resources. But no fear there is an easy way to fix it and add any SSL certificate to local keystore.

How to download SSL certificate from HTTPS hosted page / web service

Before you add certificate exception and import it into JAVA keystore you first need to download the certificate from remote web server. There is a very easy way (which i found somewhere long time ago).

openssl s_client -connect HOSTNAME:PORTNUM 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > certfile.txt

Before running the command replace host name and port number to point to the SSL service you want to extract certificate from.

How to add certificate to the JAVA keystore

On my MacOSX (which i really don't enjoy working with) has a super duper special Apple java so many things are working differently. Keystore file is located in:

/Library/Java/Home/lib/security/cacerts
it could also be named jssecacerts or located in: 
$JAVA_HOME/lib/security/cacerts 

Once you find it run following command to add the certificate:

sudo $JAVA_HOME/bin/keytool -import -alias "somealias" -file certfile.txt -keystore /Library/Java/Home/lib/security/cacerts

You will aslo asked for password to the keystore which by default is:

changeit

Then if you are sure you want to add it. Results will look more or less like this:

Enter keystore password:
Owner: CN=DUBWSC00, OU=Sun GlassFish Enterprise Server, O=Sun
Microsystems, L=Santa Clara, ST=California, C=US
Issuer: CN=DUBWSC00, OU=Sun GlassFish Enterprise Server, O=Sun
Microsystems, L=Santa Clara, ST=California, C=US
Serial number: 4c35eb72
Valid from: Thu Jul 08 16:14:58 IST 2010 until: Sun Jul 05 16:14:58 IST 2020
Certificate fingerprints:
        MD5:  E6:C7:30:F2:9B:67:5B:5A:8B:E4:39:D9:6B:7F:DB:72
        SHA1: 04:AF:F7:01:02:FC:7B:04:A6:04:F5:A5:E0:9B:9A:B7:D1:67:AA:1B
        Signature algorithm name: SHA1withRSA
        Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: AC DB 8A AA D3 B7 94 E1   5E 1A 43 E4 D0 4C 56 38  ........^.C..LV8
0010: 19 ED 90 8E                                        ....
]
]

Trust this certificate? [no]: yes

That is all

Comments

try this if the command hangs

try this if the command hangs and doesn't come back
openssl s_client -showcerts -connect hosthost:443

2015-11-09 16:57
Anonymous

I am getting below error when

I am getting below error when i run the command to import the cert to keystor

"keytool error: java.lang.Exception: Input not an X.509 certificate"

2015-10-28 00:28
Rashmi

Great help. The download of

Great help.

The download of the certificate will not work on Ubuntu because the instruction "hangs" in the connect and does not terminate.

2015-01-24 01:01
David

Hi Artur. Your article is an

Hi Artur.
Your article is an lifesaver!
Thx for sharing it.

2013-06-11 06:35
Thosch

Hi Frank, what does this

Hi Frank, what does this command print:

openssl s_client -connect 172.24.53.126:20033

if command hangs it probably cant reach the ip or port is firewalled?

Art

2012-09-20 00:47
admin

on my ubuntu the following

on my ubuntu the following command hangs and does not write the file

root@BGW-APPSRV1:~# openssl s_client -connect 172.24.53.126:20033 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > certfile.txt

2012-09-19 20:50

Please note that port number

Please note that port number is mandatory when getting the certificate.

I have also been obliged to :

* print the certificate with :
openssl s_client -connect server:port 2>&1
* then extract the certificate from the result (keeping the dashed line to mark beginning and end of certificate)
* copy those line in a file named certificate.txt

I had to do this as the openssl was interactive and was waiting for input, thus writing nothing in the certificate.txt file when I used the first command line proposed.

Then, once I got the certificate, all went well.

Thx for this tip ! It's sad Google doesn't make it higher in its result pages.

2012-08-08 21:55
snicolas

Fabulous article...simple and

Fabulous article...simple and precise..

Thanks a lot...saved a lot of my time :)

2012-05-27 03:01
Vishwas

Thanks!

Thanks!

2012-03-27 14:27
Anonymous

Post new comment

Image CAPTCHA

About the author

Artur Ejsmont

Hi, my name is Artur Ejsmont,
welcome to my blog. I am a passionate software engineer living in Sydney and working for Yahoo!

Web Scalability for Startup Engineers

If you are into technology, you can order my book Web Scalability for Startup Engineers on Amazon. I would love to hear what are your thoughts so please feel free to drop me a line or leave a comment.

Follow my RSS