How to Properly Import a Selfsigned Certificate into Java Keystore That Is Available to All Java Applications by Default

  • Home
  • Languages
  • Java
  • How to Properly Import a Selfsigned Certificate into Java Keystore That Is Available to All Java Applications by Default

How to import a .cer certificate into a java keystore?

  • If you want to authenticate you need the private key - there is no other option.
  • A certificate is a public key with extra properties (like company name, country,...) that is signed by some Certificate authority that guarantees that the attached properties are true.
  • .CER files are certificates and don't have the private key. The private key is provided with a .PFX keystore file normally.
    If you really authenticate is because you already had imported the private key.

  • You normally can import .CER certificates without any problems with 

    keytool -importcert -file certificate.cer -keystore keystore.jks -alias "Alias"

Accept server's self-signed ssl certificate in Java client

You have basically two options here: add the self-signed certificate to your JVM truststore or configure your client to

Option 1

Export the certificate from your browser and import it in your JVM truststore (to establish a chain of trust):

<JAVA_HOME>\bin\keytool -import -v -trustcacerts
-alias server-alias -file server.cer
-keystore cacerts.jks -keypass changeit
-storepass changeit

Option 2

Disable Certificate Validation (code from Example Depot):

// Create a trust manager that does not validate certificate chains
TrustManager[] trustAllCerts = new TrustManager[] { 
    new X509TrustManager() {     
        public java.security.cert.X509Certificate[] getAcceptedIssuers() { 
            return new X509Certificate[0];
        } 
        public void checkClientTrusted( 
            java.security.cert.X509Certificate[] certs, String authType) {
            } 
        public void checkServerTrusted( 
            java.security.cert.X509Certificate[] certs, String authType) {
        }
    } 
}; 

// Install the all-trusting trust manager
try {
    SSLContext sc = SSLContext.getInstance("SSL"); 
    sc.init(null, trustAllCerts, new java.security.SecureRandom()); 
    HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
} catch (GeneralSecurityException e) {
} 
// Now you can access an https URL without having the certificate in the truststore
try { 
    URL url = new URL("https://hostname/index.html"); 
} catch (MalformedURLException e) {
}

Note that I do not recommend the Option #2 at all. Disabling the trust manager defeats some parts of SSL and makes you vulnerable to man in the middle attacks. Prefer Option #1 or, even better, have the server use a "real" certificate signed by a well known CA.


Related Topics

How to Change Jdk Version for an Eclipse Project

Java: Run as Administrator

Which Cipher Suites to Enable for Ssl Socket

How to Add Jradiobutton to Group in Jtable

Hibernate Opensession() VS Getcurrentsession()

When Should One Use Final for Method Parameters and Local Variables

Why Is "Extends T" Allowed But Not "Implements T"

What Is the "Owning Side" in an Orm Mapping

Java Time-Based Map/Cache with Expiring Keys

Arithmeticexception: "Non-Terminating Decimal Expansion; No Exact Representable Decimal Result"

How to Convert the Date from One Format to Another Date Object in Another Format Without Using Any Deprecated Classes

Why am I Getting Inputmismatchexception

Eclipse 2021-09 Code Completion Not Showing All Methods and Classes

Handling Passwords Used for Auth in Source Code

Overload with Different Return Type in Java

Does the Jvm Prevent Tail Call Optimizations

How to Call a Static Method in Jsp/El

Increase Permgen Space


Leave a reply



Submit