Friday, April 19, 2013

Installing root and intermediate certificates in java keystore

Issue faced:
java software could not validate that the server certificate is correct. This exception is thrown:
PKIX path building failed:
unable to find valid certification path to requested target

Issue in deep:
Default java validation mechanism:
1. If server gives whole server certificate chain, and we trust the root one -> fine
2. If server gives only its onw certificate, we have to validate it via the intermediate certificate (the direct signer of server certificate).
2.1 If we trust the intermediate certificate (we have got it in owr keystore) -> fine
2.2. If we do not know anything about the intermediate certificate, we could not validate certificate chain.
2.3. If we trust the root, but we do not have intermediate certificate in key chain, we also could not validate the key chain. It is because we do not have the certificate chain and we cannot crow to a trusted root.

My complain is: java cannot validate the server certificate but my browser can. Why?

The browsers have much more complete list with intermediate certificates than java does. So browser validates the server certificate via intermediate certificate with no need of certificate chain.

Possible solutions:
1. fix the server to return full certificate chain.
2. add the intermediate certificate to the trust store (java keystore)

Note: if the server returns the whole certificate chain, but java client cannot validates it, you could use this single java class utility to easily install it.

Below in the article I will describe how to add intermediate certificate to client keystore.

Steps to success:
1. Seek for certificates
2. Download the certificates
3. Import the certificates in local keystore

VeriSign issues:
only root certificates are available on their site, so I could not find and download intermediates (step 1 issue) from the official site

Open Firefox, click on certificate box in address bar. Certificate info shows. You could navigate to certificate chain. You could export everyone you want.

Importing could not be easier:
sudo keytool -import -alias "verisign-inter" -file verisign-inter.pem -keystore /Library/Java/Home/lib/security/cacerts

Note: Check the path of your java keystore in your linux/windows distribution.


1 comment: