Importing a self signed certificate to java cacert trust store

The following steps to be used only in non production environments.

Self signed certificates could be used in some organisations to make server to server calls between java programs on SSL.  During these situations, we can import the certificate from the server jvm to client's jvm to fix the SSL handshake issue.

On Server JVM:

Generate a self signed certificate

keytool -genkey -noprompt -alias test.example.com -dname "CN=localhost, OU=Team Name, O=Organisation Name, L=London, S=Greater London, C=UK" -ext "san=dns:test.example.com,dns:test.example.org" -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore /tmp/keystore.p12 -validity 36500 -storepass mypassword -keypass mypassword

List the certificate

keytool -list -keystore /tmp/keystore.p12 -storepass mypassword -storetype PKCS12 -v

Export the certificate

keytool -exportcert -keystore /tmp/keystore.p12 -storetype PKCS12 -storepass mypassword -alias localhost -file /tmp/test.example.com.crt

On Client JVM:

List existing certificate in default trust store (cacerts)

keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit

Import the server certificate

Prefix the following command with sudo if you get permission denied error.

keytool -import -v -trustcacerts -alias test.example.com -file /tmp/localhost.crt -keystore $JAVA_HOME/jre/lib/security/cacerts -keypass changeit -storepass changeit -noprompt

List the newly imported certificate

keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -alias test.example.com

Delete the newly imported certificate (after finishing the test)

Prefix the following command with sudo if you get permission denied error.

keytool -delete -alias test.example.com -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit

Comments

Post a Comment

Popular posts from this blog

JSON with curl and jq

This blog post captures some quick commands to deal with JSON from servers (Http APIs) using curl and jq command line tools About Jq: https://stedolan.github.io/jq/ Install jq: Mac: brew install jq Ubuntu or Debian: sudo apt-get install jq Sample JSON content: Assume the following JSON content will be returned from  URL http://api.example.com/some-json-content {     "user_name": "User 123",     "some_other_field": {         "sub_field": "sub_value"     },     "array_field": [         {             "field1": "value1",             "field2": "value2"         },         {             "field1": "value3",             "field2": "value4"         }     ] } UR...
Read more

Import self signed in Linux for Chrome / Chromium headless testing

Chrome / Chromium browser offers headless mode, which is quite useful to run tests via Selenium WebDriver in CI servers. However under some circumstance your test will hit a server with self signed certificate or invalid certificate or expired certificate. This may happen for developers trying to write tests against a server started on localhost with self signed certificates or testers trying to write tests against non-production servers with expired certificates (invalid certificates). Chrome / Chromium browser ignores the SSL errors when running in non-headless mode. However in CI servers, then it should be running in headless mode and currently we cannot ignore the SSL errors for tests accessing non-localhost websites. This blogs explains the steps for import a certificate into Linux's trust store, which will make the Chrome / Chromium browser to trust the self signed certificate.  Please do not apply these steps in production servers as it will make server vulnerable to ...
Read more

Colima - Drop In replacement for Docker Desktop for Mac and Linux

Colima ( Co ntainer on Li nux Ma chines) is an open source alternative and drop in replacement for Docker Desktop on Mac and Linux. https://github.com/abiosoft/colima It is simple to setup and run containers without the need for sudo or root access. Images can be pulled form both Docker hub ( https://hub.docker.com ) or Amazon's public registry ( https://gallery.ecr.aws ) Amazon's registry is more permissive or friendly with pull rates for both clients and non-clients of AWS. This article show the setup and basics of running containers on mac. Installation command for Linux can vary based on the distribution type, hence please refer to official documentation for up-to-date steps at  https://github.com/abiosoft/colima/blob/main/docs/INSTALL.md Installation on mac: brew install docker  brew install docker-buildx brew install docker-compose brew install jq brew install colima Setup docker compose as docker plugin mkdir -p $HOME/.docker/cli-plugins ln -sfn $(which docker-compose) ...
Read more