Configure a Java HTTP Client to Accept Self-Signed Certificates: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
Line 60: Line 60:
  Valid from: Sat Nov 11 00:04:28 PST 2017 until: Mon Nov 11 00:04:29 PST 2019
  Valid from: Sat Nov 11 00:04:28 PST 2017 until: Mon Nov 11 00:04:29 PST 2019
  Certificate fingerprints:
  Certificate fingerprints:
MD5:  E0:B7:FA:9C:4F:01:66:1C:51:FC:F9:49:56:69:F8:88
      MD5:  E0:B7:FA:9C:4F:01:66:1C:51:FC:F9:49:56:69:F8:88
SHA1: FE:27:F4:0F:20:EA:A8:E4:1D:D4:F3:FD:81:4A:C8:06:35:1E:E5:1A
      SHA1: FE:27:F4:0F:20:EA:A8:E4:1D:D4:F3:FD:81:4A:C8:06:35:1E:E5:1A
SHA256: 3B:A8:06:B2:6F:49:27:1B:7A:50:67:42:E0:6B:E4:99:32:CC:22:21:F2:D4:26:B8:9D:21:BB:96:9D:CF:DD:FB
      SHA256: 3B:A8:06:B2:6F:49:27:1B:7A:50:67:42:E0:6B:E4:99:32:CC:22:21:F2:D4:26:B8:9D:21:BB:96:9D:CF:DD:FB
Signature algorithm name: SHA256withRSA
      Signature algorithm name: SHA256withRSA
Version: 3
      Version: 3
 
  Extensions:
  Extensions:
 
  #1: ObjectId: 2.5.29.19 Criticality=true
  #1: ObjectId: 2.5.29.19 Criticality=true
  BasicConstraints:[
  BasicConstraints:[
Line 73: Line 73:
   PathLen: undefined
   PathLen: undefined
  ]
  ]
 
  #2: ObjectId: 2.5.29.37 Criticality=false
  #2: ObjectId: 2.5.29.37 Criticality=false
  ExtendedKeyUsages [
  ExtendedKeyUsages [
   serverAuth
   serverAuth
  ]
  ]
 
  #3: ObjectId: 2.5.29.15 Criticality=true
  #3: ObjectId: 2.5.29.15 Criticality=true
  KeyUsage [
  KeyUsage [
Line 84: Line 84:
   Key_Encipherment
   Key_Encipherment
  ]
  ]
 
  #4: ObjectId: 2.5.29.17 Criticality=false
  #4: ObjectId: 2.5.29.17 Criticality=false
  SubjectAlternativeName [
  SubjectAlternativeName [
Line 90: Line 90:
   DNSName: apps.openshift.novaordis.io
   DNSName: apps.openshift.novaordis.io
  ]
  ]
 
  Trust this certificate? [no]:  '''yes'''
  Trust this certificate? [no]:  '''yes'''
  Certificate was added to keystore
  Certificate was added to keystore

Revision as of 10:38, 9 December 2017

Internal

Overview

If a Java client is attempting to connect to a HTTPS server configured with a self-signed SSL certificate, the Java client will fail with: 

...
javax.net.ssl.SSLHandshakeException: \
sun.security.validator.ValidatorException: PKIX path building failed: \
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

This article provides a solution to this problem. The solution consist in obtaining the HTTPS server's public key, importing it into a local truststore and configuring the Java client to use the local truststore.

Procedure

Obtain the HTTPS Server's Certificate

Use openssl s_client to obtain the server's certificate as described here. The response will include the server's certificate in PEM format, which should look similarly to: 

-----BEGIN CERTIFICATE-----
MIIDqjCCAxOgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBmzELMAkGA1UEBhMCVVMx
EzARBgNVBAgTCkNhbGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMRowGAYD
VQQKExEzREdlbyBEZXZlbG9wbWVudDEMMAoGA1UECxQDUiZEMRgwFgYDVQQDEw9k
ZWx0YS4zZGdlby5jb20xHTAbBgkqhkiG9w0BCQEWDnJvb3RAM2RnZW8uY29tMB4X
DTA3MDMxMzAwMDA1MVoXDTEyMDMxMTAwMDA1MVowgZsxCzAJBgNVBAYTAlVTMRMw
EQYDVQQIEwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtTYW50YSBDbGFyYTEaMBgGA1UE
ChMRM0RHZW8gRGV2ZWxvcG1lbnQxDDAKBgNVBAsUA1ImRDEYMBYGA1UEAxMPZGVs
dGEuM2RnZW8uY29tMR0wGwYJKoZIhvcNAQkBFg5yb290QDNkZ2VvLmNvbTCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0Qr+rQFlXbb6Cno44THzb7FqS2RM1839
v/PEU5dg4Ct5Lru57r9DE3ZYeTqhvKKJoBU7CpubCWdkmiH8VioTz0wg3cWOT/NL
1S0SBMHpUo5L7NlNDVs7BYb8Ul6Zw3TJOEv5k1/WaM6zCSmW3lpQ6QfibwK+ytD7
Iv9plxyxmasCAwEAAaOB+zCB+DAdBgNVHQ4EFgQUy7r6eE8PrFjQUNZsS7tWyxt3
d+cwgcgGA1UdIwSBwDCBvYAUy7r6eE8PrFjQUNZsS7tWyxt3d+ehgaGkgZ4wgZsx
CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtTYW50
YSBDbGFyYTEaMBgGA1UEChMRM0RHZW8gRGV2ZWxvcG1lbnQxDDAKBgNVBAsUA1Im
RDEYMBYGA1UEAxMPZGVsdGEuM2RnZW8uY29tMR0wGwYJKoZIhvcNAQkBFg5yb290
QDNkZ2VvLmNvbYIBADAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBAUAA4GBAGCT
Pdxif5spjhoZQCRvQ+ATW3Osr/yONkQqs+3F37X8mCegXp6ETwWHjclDSMtGy5wr
h1YSgfE29rAPNWhv+IIwORHgrBfa3HkEio7xZdSJMrCgC4Fgd/VrI8yqDFwWlybo
BMCgIbRNxq07R4zaz2GsO2lxruSrpwfS+xMWfpdM
-----END CERTIFICATE-----

Save it locally in a server-cert.pem file.

Import the certificate into a local keystore, and declare it trusted while importing it: 

keytool -import -alias <server-name> -keystore ./<server-name>.truststore -file server-cert.pem

keytool -import -alias nexus  -keystore ./nexus.truststore -file server-cert.pem
Enter keystore password:
Re-enter new password:
Owner: CN=*.apps.openshift.novaordis.io
Issuer: CN=openshift-signer@1510385842
Serial number: 12
Valid from: Sat Nov 11 00:04:28 PST 2017 until: Mon Nov 11 00:04:29 PST 2019
Certificate fingerprints:
     MD5:  E0:B7:FA:9C:4F:01:66:1C:51:FC:F9:49:56:69:F8:88
     SHA1: FE:27:F4:0F:20:EA:A8:E4:1D:D4:F3:FD:81:4A:C8:06:35:1E:E5:1A
     SHA256: 3B:A8:06:B2:6F:49:27:1B:7A:50:67:42:E0:6B:E4:99:32:CC:22:21:F2:D4:26:B8:9D:21:BB:96:9D:CF:DD:FB
     Signature algorithm name: SHA256withRSA
     Version: 3

Extensions:

#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
 CA:false
 PathLen: undefined
]

#2: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
 serverAuth
]

#3: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
 DigitalSignature
 Key_Encipherment
]

#4: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
 DNSName: *.apps.openshift.novaordis.io
 DNSName: apps.openshift.novaordis.io
]

Trust this certificate? [no]:  yes
Certificate was added to keystore
Retrieved from "https://kb.novaordis.com/index.php?title=Configure_a_Java_HTTP_Client_to_Accept_Self-Signed_Certificates&oldid=34738"