Importing site certificate into a java keystore

This is an easy thing, but I kept forgetting the commands, so I thought it would be helpful to just write it down explicitly.

When using java to connect to SSL sites, all site public key certificates need to be explicity added into the java keystore.

(This file is typically located under $JAVA_HOME/jre/lib/security/cacerts (with default password of "changeit")

To extract a site cert run the following

openssl s_client -connect [website address]:[website port] (remember in most cases port 443 is the standard)

To extract the site cert for www.google.com, for example, you would do the following:

$ openssl s_client -connect www.google.com:443

Cut/paste the section that starts and ends with the following (including these lines) into a text file (e.g. 1.crt)

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

Then run the following to import into the keystore using a unique alias (I'm using BLAH)

keytool -import -alias BLAH -file 1.crt -storetype JKS -keystore $JAVA_HOME/jre/lib/security/cacerts

Please login to post a reply
The contents of www.reluctant-tech-traveler.net are Copyright © 2023 Reluctant Tech Traveler.
All Rights Reserved.