Friday, April 19, 2013

Installing root and intermediate certificates in java keystore

Issue faced:

java software could not validate that the server certificate is correct. This exception is thrown:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target


Issue in details

Default java validation mechanism:
1. If server gives whole server certificate chain, and we trust the root one -> fine
2. If server gives only its onw certificate, we have to validate it via the intermediate certificate (the direct signer of server certificate).
2.1 If we trust the intermediate certificate (we have got it in our keystore) -> fine
2.2. If we do not know anything about the intermediate certificate, we could not validate certificate chain.
2.3. If we trust the root, but we do not have intermediate certificate in key chain, we also could not validate the key chain. It is because we do not have the certificate chain and we cannot crow to a trusted root.


Why my browser could validate the certificate but Java cannot?

The browsers have much more complete list with intermediate certificates than java does. Browser certificates are automatically updated with new browser versions. It is invisible for customers. But in Java we need to do it manually.
Sometimes website certificate could be checked via root certificate.

Possible solutions

1. fix the server to return full certificate chain.
2. add the intermediate certificate to the trust store (java keystore)

Note: if the server returns the whole certificate chain, but java client cannot validates it, you could use this InstallCert 2 utility to easily install it. 

Below in the article I will describe how to add intermediate certificate to client keystore.

Steps to success

1. Seek for certificates
2. Download the certificates
3. Import the certificates in local keystore

VeriSign issues

only root certificates are available on their site, so I could not find and download intermediates (step 1 issue) from the official site

Download certificates via browser:

Open Firefox, click on certificate box in address bar. Certificate info shows  up. You could navigate to certificate chain. You could export any certificate you want. Procedure for Chrome / Edge is similar.

Import into java keystore

Import could not be easier:
sudo keytool -import -alias "verisign-inter" -file verisign-inter.pem -keystore /Library/Java/Home/lib/security/cacerts

Note: Check the path of your java keystore in your linux/windows distribution.



No comments:

Post a Comment