Importing SSL certificates on the Java Keystore (JKS)

Importazione Certificati SSL sul Java Keystore (JKS)
Importazione Certificati SSL sul Java Keystore (JKS)

The mechanism usually adopted for the protection of end-to-end data on the Internet is based on the use of Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), both of which are cryptographic protocols that allow communication safer and integrity of data over TCP/IP, encrypt the communication from the source to the destination transport layer.

A typical TLS/SSL (for example via internet browser) provides an authentication type called unilateral: only the server is authenticated (the client knows the identity of the server), but not vice versa (the client remains anonymous and authenticated). The client (Web browser, EmailUI, Java Client, etc …) validates the server certificate by checking the digital signature of server certificates, verifying that it is valid and recognized by a known Certificate Authority using a public key encryption.

 Figure 1 illustrates the case where the browser establishes a connection to a website (or web application) that exposes a certificate from a Certificate Authority not recognized. The user can take certain actions, whether to continue or abandon the connection, it is also possible for the user, consider instructing your browser to trust the certificate.

Figura 1 - Alert del Browser per Certificate Authority non riconosciuta

Figure 1 – Alert of the Browser for Certificate Authority not recognized

Figure 2 shows the details are on the chain of certification (Certificate Chain). The browser (in this case Safari) has all the reasons to issue a warning, in effect, the Certificate Authority (CA) has indicated a pure invention.

Figura 2 - Dettagli del certificato SSL

Figure 2 – Detail of the SSL Certificate

If you’d like to make TLS/SSL connections using software written in Java (as a client), you must ensure that all Certificate Chain (or certificate chain) is satisfied or at least should have to trust the certificate . The Java platform uses a system called Java Keystore for the management of security or rather, storage and administration of all that revolves around digital certificates (Public/Private Key, Root CA, CSR, etc …). The default implementation is based on the Java Keystore file, it is a proprietary format called JKS. For those wishing to know more about security in Java, I recommend reading JDK 6 Security-related APIs & Developer Guides.

The Java platform provides two basic types of Java Keystore that I prefer to divide as follows:

  • Server side: Java Keystore that usually contains the pairs of public/private key certificates used by the server. The name is usually attributed to this repository keystore;
  • Client side: Java keystore containing the certificates that are used only by applications that act as a client. The name usually given to this repository and trustStore.

The default location of both the keystore is <java-home>/lib/security/. For simplicity, during the course of the article I will refer generically to keystore name.

The classic mistake that we encounter when the Certificate Chain is not met, is an exception of the type shown below. The exception is triggered because it was not found a valid Certification Path to the SSL connection request executed.

Come on now in practice and see how to deal with a similar scenario taking as an example a recent article posted on my blog, which showed how to implement a SOAP Java client for SugarCRM system. Examples of connection (see article) to a SOAP service using the HTTP protocol. If we did use the HTTPS protocol to connect to a SOAP service, we would go meet the exception shown above. The solution is very simple, you must import the SSL certificate on your Java Keystore and mark it as trusted. The operation consists of the following elementary steps:

  1. Export/Save the server certificate in format DER (Distinguished Encoding Rules) or X.509 on your machine that will perform the SSL connection;
  2. Importing the server certificate on the Java Keystore.

Export the server certificate can be accomplished in several ways, perhaps the easiest way is through a common browser (Firefox, Internet Explore, Safari, etc …). Publishing the post that explains how to do this with Mozilla Firefox: Exporting to File Server Certificate in Firefox 3. Similarly, you can proceed to export the server certificate using the most common browser.

The method that I prefer to export the server certificate in DER format is to use the openssl tool (see command below).

Once you have the server certificate, you must import it on the Java Keystore using the appropriate tool named keytool (keytool-Key and Certificate Management Tool). I remember that the keystore is the container of digital certificates. The scenario proposed here is based, custom keystore to a file, created from importing the server certificate, we leave intact the system keystore.

The command shown above, will create a new keystore (password protected) within the server certificate will be identified with the alias sugarcrm-fe-1. The alias uniquely identifies the item just inserted, if we wanted to do a check on the success of the operation of the import, just run the following command:

The output of above command will look like as shown below:

In the event that the server certificate was not imported successfully, the previous command would respond with the following exception:

At this point everything is ready to perform successfully connect to the service SOAP over HTTPS. Because we used a custom keystore instead of exploiting the system, you must instruct the JVM about the keystore to be used, not even a bad idea to set a debug level over the SSL connection. The two arguments that must be passed to the JVM are therefore:

As the Java application acts as a client, you must specify the location of the keystore (remember to be kind trustStore) through the property

The debug option can help you understand any problems in case of failure, it is useful for those who want to better understand the operation of the TLS / SSL, it draws all the messages exchanged between the client and the server to complete the handshake. Followed by an extract of the output against the execution of the class but change the endpoint address at https://sugarcrm-fe-1.local/crm-6.1/service/v2/soap.php?wsdl

Through a practical example and I would also realistic enough, we saw how simple and immediate import digital certificates in the Java Keystore, so that applications work correctly.

I think this is my third article created to respond to questions or problems raised by my colleagues!

Antonio Musarra

I began my journey into the world of computing from an Olivetti M24 PC ( bought by my father for his work. Day after day, quickly taking control until … Now doing business consulting for projects in the enterprise application development using web-oriented technologies such as J2EE, Web Services, ESB, TIBCO, PHP.

You may also like...