Retrieve the site's SSL certificate using the openssl command:
openssl s_client -showcerts -connect server.domain.tld:443 < /dev/null > server.domain.tld.outcer
Note that server.domain.tld is just the fully-qualified domain name, e.g. www.yahoo.com, and not the HTTPS address! The port 443 is the default post for the HTTPS protocol. If your server uses another port, substitute that in place of 443.
Once the openssl command has completed, open the output file server.domain.tld.outcer. At the beginning of this file, you'll see something like this (this shows the certificate from the Wikipedia site; for major sites like this, you don't usually need to add the certificate manually, but this is just to illustrate what these look like):
CONNECTED(00000003) --- Certificate chain 0 s:/C=US/ST=California/L=San Francisco/O=Wikimedia Foundation, Inc./CN=*.wikipedia.org i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G2 -----BEGIN CERTIFICATE----- MII... <many lines of incomprehensible gibberish> xxxxxxxxxxxxxxx= -----END CERTIFICATE-----
You only need the contents of this starting with the line containing BEGIN CERTIFICATE and ending with END CERTIFICATE, so go ahead and delete everything before that first line and after the second and save the file. It should look like this now:
-----BEGIN CERTIFICATE----- MII... <many lines of incomprehensible gibberish> xxxxxxxxxxxxxxx= -----END CERTIFICATE-----
Once you have the certificate from the target site, you can import it with the Java keytool command. The syntax for importing a certificate is:
keytool -import -trustcacerts -alias server.domain.tld -file server.domain.tld.cer -keystore cacerts
You'll be prompted for a password. The default Java keystore password is changeit. The value cacerts is the name of the Java keystore into which you want to import the key. By default, unless you specify another keystore, the one that your JVM will use is located under your JAVA_HOME folder at jre/lib/security/cacerts for a JDK and at lib/security/cacerts in a JRE.
And that's it! Once you've imported the certificate into your JVM's keystore, you should be able to use your Java-based tools to access the sites that use that certificate.
If your tools continue to fail after importing the certificate, you most likely have a tool that's somehow using another JDK or JRE, such as an embedded JRE. You'll need to determine the location of the JVM being used in order to find the certificate store for that particular machine.
|Content by Label|