Importing SSL certificates on the Java Keystore (JKS)

Importazione Certificati SSL sul Java Keystore (JKS)
Importazione Certificati SSL sul Java Keystore (JKS)

The mechanism usually adopted for the protection of end-to-end data on the Internet is based on the use of Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), both of which are cryptographic protocols that allow communication safer and integrity of data over TCP/IP, encrypt the communication from the source to the destination transport layer.

A typical TLS/SSL (for example via internet browser) provides an authentication type called unilateral: only the server is authenticated (the client knows the identity of the server), but not vice versa (the client remains anonymous and authenticated). The client (Web browser, EmailUI, Java Client, etc …) validates the server certificate by checking the digital signature of server certificates, verifying that it is valid and recognized by a known Certificate Authority using a public key encryption.

 Figure 1 illustrates the case where the browser establishes a connection to a website (or web application) that exposes a certificate from a Certificate Authority not recognized. The user can take certain actions, whether to continue or abandon the connection, it is also possible for the user, consider instructing your browser to trust the certificate.

Figura 1 - Alert del Browser per Certificate Authority non riconosciuta

Figure 1 – Alert of the Browser for Certificate Authority not recognized

Figure 2 shows the details are on the chain of certification (Certificate Chain). The browser (in this case Safari) has all the reasons to issue a warning, in effect, the Certificate Authority (CA) has indicated a pure invention.

Figura 2 - Dettagli del certificato SSL

Figure 2 – Detail of the SSL Certificate

If you’d like to make TLS/SSL connections using software written in Java (as a client), you must ensure that all Certificate Chain (or certificate chain) is satisfied or at least should have to trust the certificate . The Java platform uses a system called Java Keystore for the management of security or rather, storage and administration of all that revolves around digital certificates (Public/Private Key, Root CA, CSR, etc …). The default implementation is based on the Java Keystore file, it is a proprietary format called JKS. For those wishing to know more about security in Java, I recommend reading JDK Security-related APIs & Developer Guides which will show you all the new features and improvements of JDK 8.

The Java platform provides two basic types of Java Keystore that I prefer to divide as follows:

  • Server side: Java Keystore that usually contains the pairs of public/private key certificates used by the server. The name is usually attributed to this repository keystore;
  • Client side: Java keystore containing the certificates that are used only by applications that act as a client. The name usually given to this repository and trustStore.

The default location of both the keystore is <java-home>/lib/security/. For simplicity, during the course of the article I will refer generically to keystore name.

The classic mistake that we encounter when the Certificate Chain is not met, is an exception of the type shown below. The exception is triggered because it was not found a valid Certification Path to the SSL connection request executed.

Come on now in practice and see how to deal with a similar scenario taking as an example a recent article posted on my blog, which showed how to implement a SOAP Java client for SugarCRM system. Examples of connection (see article) to a SOAP service using the HTTP protocol. If we did use the HTTPS protocol to connect to a SOAP service, we would go meet the exception shown above. The solution is very simple, you must import the SSL certificate on your Java Keystore and mark it as trusted. The operation consists of the following elementary steps:

  1. Export/Save the server certificate in format DER (Distinguished Encoding Rules) or X.509 on your machine that will perform the SSL connection;
  2. Importing the server certificate on the Java Keystore.

Export the server certificate can be accomplished in several ways, perhaps the easiest way is through a common browser (Firefox, Internet Explore, Safari, etc …). Publishing the post that explains how to do this with Mozilla Firefox: Exporting to File Server Certificate in Firefox 3. Similarly, you can proceed to export the server certificate using the most common browser.

The method that I prefer to export the server certificate in DER format is to use the openssl tool (see command below).

Once you have the server certificate, you must import it on the Java Keystore using the appropriate tool named keytool (keytool-Key and Certificate Management Tool). I remember that the keystore is the container of digital certificates. The scenario proposed here is based, custom keystore to a file, created from importing the server certificate, we leave intact the system keystore.

The command shown above, will create a new keystore (password protected) within the server certificate will be identified with the alias sugarcrm-fe-1. The alias uniquely identifies the item just inserted, if we wanted to do a check on the success of the operation of the import, just run the following command:

The output of above command will look like as shown below:

In the event that the server certificate was not imported successfully, the previous command would respond with the following exception:

At this point everything is ready to perform successfully connect to the service SOAP over HTTPS. Because we used a custom keystore instead of exploiting the system, you must instruct the JVM about the keystore to be used, not even a bad idea to set a debug level over the SSL connection. The two arguments that must be passed to the JVM are therefore:

As the Java application acts as a client, you must specify the location of the keystore (remember to be kind trustStore) through the property

The debug option can help you understand any problems in case of failure, it is useful for those who want to better understand the operation of the TLS / SSL, it draws all the messages exchanged between the client and the server to complete the handshake. Followed by an extract of the output against the execution of the class but change the endpoint address at https://sugarcrm-fe-1.local/crm-6.1/service/v2/soap.php?wsdl

Through a practical example and I would also realistic enough, we saw how simple and immediate import digital certificates in the Java Keystore, so that applications work correctly.

I think this is my third article created to respond to questions or problems raised by my colleagues!

Antonio Musarra

I began my journey into the world of computing from an Olivetti M24 PC ( bought by my father for his work. Day after day, quickly taking control until … Now doing business consulting for projects in the enterprise application development using web-oriented technologies such as J2EE, Web Services, ESB, TIBCO, PHP.

You may also like...

Cos'è il progetto CIE/CNS Apache Docker - Developers Italia

In questo video introdurrò il progetto CIE/CNS Apache Docker di Developers Italia ( nato circa due anni fa.

L'obiettivo di questo progetto è quello di fornire un template pronto all'uso che realizza un sistema di autenticazione tramite la Smart Card TS-CNS (o CNS) e la CIE (Carta d'Identità Elettronica) basato su Apache HTTP. Ognuno può poi modificare o specializzare questo progetto sulla base delle proprie esigenze Si tratta di un progetto docker per la creazione di un container che implementa un sistema di mutua autenticazione o autenticazione bilaterale SSL/TLS.

Questo meccanismo di autenticazione richiede anche il certificato digitale da parte del client, certificato che in questo caso risiede all'interno della TS-CNS o della CIE. La particolarità del sistema implementato (attraverso questo container) è quella di consentire l'autenticazione tramite:

  • La TS-CNS (Tessera Sanitaria - Carta Nazionale Servizi), rilasciata dalla regione di appartenenza;
  • La CIE (Carta d'Identità Elettronica), rilasciata dal comune di residenza.

Nella versione 2.0.0 il progetto è stato aggiornato per essere uniforme alle linee guida di Bootstrap Italia. A seguire alcune risorse che possono essere utili.

  • Cos’è il progetto CIE/CNS Apache Docker (
  • CIE Carta d'Identità Elettronica (
  • Carta Nazionale dei Servizi (
  • Raspberry Pi – Un esempio di applicazione della TS-CNS (
  • Pubblicare il servizio CIE/CNS Apache Docker su Azure Cloud (
  • Come accedere al portale VETINFO tramite TS-CNS e Mac OS (