Self-signed certificate is not necessarily something bad if you can actually validate or trust the source. For example if it’s accessed through a private network link.

If you are accessing resources using self-signed certificate via Java, here’s what you can do to get your java application to trust them

 

The first thing that we need to do is to actually get the certificate. Preferably the interface or API provider will provide it to you in a trusted manner, or if you trust them, you can get them directly from the site by doing:

surfer@yuzuhira:~$ echo -n | openssl s_client -connect raleigh.mach5.local:8000 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /home/surfer/raleigh.crt

You can check the validity of the certificate by doing

surfer@yuzuhira:~$ openssl -x590 -in raleigh.crt -text

The output should be similar to this:


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 400474004 (0x17debf94)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = ID, ST = Jakarta Pusat, L = DKI Jakarta, O = mach5, OU = localconnector, CN = raleigh.mach5.local
        Validity
            Not Before: Sep 10 10:46:44 2022 GMT
            Not After : Sep  7 10:46:44 2032 GMT
        Subject: C = ID, ST = Jakarta Pusat, L = DKI Jakarta, O = mach5, OU = localconnector, CN = raleigh.mach5.local
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:d3:93:d9:01:19:e7:2c:35:2e:5c:04:02:42:2b:
                    5f:ae:86:4f:4c:35:f5:e1:9c:33:ec:bf:fe:17:fc:
                    c4:d2:be:65:93:ff:de:dd:9a:cd:7e:5e:53:cc:4d:
                    24:b7:cc:d4:a9:29:ba:2b:7d:f1:f5:a6:7a:a6:dc:
                    ba:06:52:61:1b:93:8d:9c:3f:b1:e1:4b:d8:f9:a7:
                    1d:a9:92:2b:2c:45:47:ea:fd:72:ee:db:2b:86:4f:
                    b9:2b:96:ed:9b:aa:92:a7:b9:27:0f:00:a8:e9:cd:
                    2a:42:06:25:c6:b3:5e:4f:d5:9c:31:08:46:12:a1:
                    b6:47:86:e8:ea:63:a0:82:8e:9a:db:2e:27:f4:99:
                    81:f1:25:8c:38:1f:a8:f3:40:5c:b3:ef:1e:a1:ef:
                    8f:78:63:49:16:07:fa:ed:36:6e:85:cb:db:3e:47:
                    5a:9f:ea:ee:e1:d3:b9:c0:5b:83:81:ab:82:e6:89:
                    c7:14:d7:2f:a1:75:ad:11:02:98:50:0a:34:2b:60:
                    a3:4e:81:7f:86:4a:76:2d:a7:3d:00:70:ac:0c:b4:
                    41:5c:6e:ca:fc:22:09:e2:a0:5f:3e:d6:db:31:1f:
                    12:a4:cf:71:38:72:87:65:8b:db:1c:f7:37:71:b6:
                    9c:31:b3:a0:6b:ee:72:6b:f4:4b:e3:0d:c3:0a:37:
                    e5:a5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:raleigh.mach5.local, IP Address:172.16.121.161
    Signature Algorithm: sha256WithRSAEncryption
         bf:28:61:05:30:85:c8:1f:71:0c:f1:cd:e0:98:6e:07:b9:91:
         e6:a1:8a:1e:b4:8c:a8:12:0b:0e:76:46:ed:77:42:9c:32:b1:
         56:0b:99:01:78:9e:d6:81:6f:4f:65:18:60:b9:2e:69:60:99:
         55:ea:d7:fa:95:03:3f:a4:ba:0c:68:ad:df:55:50:e8:bc:e8:
         d2:f3:c6:ae:ed:93:7d:83:d7:f3:60:ad:b7:90:42:27:8c:44:
         e8:f8:71:7a:cd:19:78:4a:a0:ad:fd:19:e7:0a:85:00:23:1f:
         e6:a1:8a:1e:b4:8c:a8:12:0b:71:78:9e:d6:81:6f:4f:65:18:
         e6:b8:a3:e3:e9:76:46:83:90:74:d5:fe:5f:4b:fb:1e:cf:13:
         71:5d:51:3a:34:83:3f:a4:ba:0c:68:ad:df:b0:38:2b:85:82:
         09:29:48:1f:e2:10:c2:92:89:f8:d0:62:02:e6:b8:a3:e3:e9:
         3f:2b:e2:dd:90:74:d5:fe:5f:4b:72:82:42:4a:1f:0d:f3:e7:
         ef:86:19:57:64:06:29:e2:b8:be:a0:6c:0b:d0:db:17:97:99:
         08:da:dd:a0:5d:8c:5a:eb:1a:f4:0a:c6:5a:24:98:b1:04:6d:
         9d:07:76:2f:5d:6b:de:18:79:d0:2d:9e:48:8c:7f:ee:df:ed:
         b0:bf:7a:e9
-----BEGIN CERTIFICATE-----
MIIEJjCCAw6gAwIBAgIEF96/lDANBgkqhkiG9w0BAQsFADCBtjELMAkGA1UEBhMC
SUQxFjAUBgNVBAgTDUpha2FydGEgUHVzYXQxFDASBgNVBAcTC0RLSSBKYWthcnRh
MRMwEQYDVQQKEwprZW1lbmRhZ3JpMUcwRQYDVQQLEz5EaXJla3RvcmF0IEZhc2ls
aXRhcyBQZW1hbmZhYXRhbiBEYXRhIGRhbiBEb2t1bWVuIEtlcGVuZHVkdWthbjEb
MBkGA1UEAxQSKDVR0RBC8wLYIlcGVtYW5mYWF0YW4uZHVrY2FwaWwut98fWmeqbc
a2VtZW5kYWdyaS5nby5pZIcErBCgsTANBgkqhkiG9w0BAQsFAAOCAQEAvNVBAYTA
c2F0MRQwEgYDVQQHEwtES0kgSmFrYXJ0YTETMBEGA1UEChMKa2VtZW5kYWdyaTFH
MEUGA1UECxM+RGlyZWt0b3JhdCBGYXNpbGl0YXMgUGVtYW5mYWF0YW4gRGF0YSBk
YW4gRG9rdW1lbiBLZXBlbmR1ZHVrYW4xGzAZBgNVBAMUEioua2VtZW5kYWdyaS5n
by5pZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANOT2QEZ5yw1LlwE
AkIrX66GT0w19eGcM+y//hf8xNK+ZZP/3t2azX5eU8xNJLfM1Kkpuit98fWmeqbc
ugZSYRuTjZw/seFL2PmnHamSKyxi5rZW1lbmRhZ3JpLmdvLmlkMB4XDTIyMDkJw8
JcazXk/VnDEIRhKhtkeG6OpjoIKOmtsuJ/SZgfEljDgfqPNAXLPvHqHvj3hjSRYH
+u02boXL2z5HWp/q7uHTucBbg4GrguaJxxTXL6F1rRECmFAKNCtgo06Bf4ZKdi2n
PQBwrAy0QVxuyvwiCeKgXz7W2zEfEqTPcThyh2WL2xz3N3G2nDGzoGvucmv0S+MN
wwo35aUCAwEAAaM6MDgwNgYDVR0RBC8wLYIlcGVtYW5mYWF0YW4uZHVrY2FwaWwu
a2VtZW5kYWdyaS5nby5pZIcErBCgsTANBgkqhkiG9w4+l2RoPhZ8X9pQP7HhhBTC
yB9xDPHN4JhuB7mR5qGKHrSMqBILDrHeGHnQLZ5IVguZAWdRQLiRhjWjYLkuaWCZ
VerX+pUDP6S6DGit31VQ6Lzo0vPGru2TfYPX82Ctt5BCJ4xE6Phxes0ZeEqgrf0Z
5wqFACMf7IZwOET3yeDFcXie1oFvT2UY5rij4+l2RoPhZ8X9pQP7Hs8TcV1ROjSN
yIEZPd9PsDgrhYIiCSlIH+IQwpKJ+NBiAu13QpwyPyvi3ZB01f5fS3KCQkofDfPn
74YZV2QGKeK4vqBsC9DbF5eZCNrdoF2MWusa9ArGWiSYsQRtnQd2L11rjH/u3+0U
pDlgPWupsL966Q==
-----END CERTIFICATE-----

The next thing to do is to store the self-signed certificate to the JVM truststore, which is usually located in “$JAVA_HOME/jre/lib/security/cacerts”. On default OpenJDK installation on an Ubuntu system this would translate to “/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts”

To add the certificate that we previously extracted, do:

surfer@yuzuhira:~$ sudo keytool -import -trustcacerts -keystore /etc/ssl/certs/java/cacerts -storepass changeit -noprompt -alias localcon -file /home/surfer/raleigh.crt

To check whether the key has been properly imported to the truststore, do:

surfer@yuzuhira:~$ keytool -list -keystore /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts -storepass changeit

At the bottom of the result, you should find the key that you’ve just recently add to the store, like this

localcon, Sep 13, 2022, trustedCertEntry,
Certificate fingerprint (SHA-256): F4:8C:8B:E9:38:95:89:23:90:83:3f:a4:ba:0c:68:ad:df:b0:38:EF:5B:98:99:FB:14:53:B2:9E:14:18:D2:C3

..restart you java app or tomcat, and we are done!

By ikhsan

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.