Reputation: 421
How to check a Certificate is in default cacerts
A client provide me with a HTTPS URL for a service call. I need to make a request to that URL. I know that if the certificate of that URL is from a common provider chances are that it's already available on the default java truststore cacerts.
However I am unsure how to check whether I need to import the certificate or not. How can I check whether a certificate from a website is already in default java truststore \jre1.8\lib\security\cacerts?
Upvotes: 23
Views: 155338
Answers (4)
Reputation: 763
I had a similar issue where I needed to test whether the correct cert was added to the Java keystore. This blog post by Matthew Davis shows a simple method for doing so. It does require access to a JDK.
Source: https://matthewdavis111.com/java/poke-ssl-test-java-certs/
Install JDK (if needed)
# Debian/Ubuntu
apt-get install -y default-jdk
# Rockylinux/Alma
dnf install -y java-latest-openjdk-devel
Source Code
Save the following to SSLPoke.java
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import java.io.*;
/** Establish a SSL connection to a host and port, writes a byte and
* prints the response. See
* http://confluence.atlassian.com/display/JIRA/Connecting+to+SSL+services
*/
public class SSLPoke {
public static void main(String[] args) {
if (args.length != 2) {
System.out.println("Usage: "+SSLPoke.class.getName()+" <host> <port>");
System.exit(1);
}
try {
SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
SSLSocket sslsocket = (SSLSocket) sslsocketfactory.createSocket(args[0], Integer.parseInt(args[1]));
InputStream in = sslsocket.getInputStream();
OutputStream out = sslsocket.getOutputStream();
// Write a test byte to get a reaction :)
out.write(1);
while (in.available() > 0) {
System.out.print(in.read());
}
System.out.println("Successfully connected");
} catch (Exception exception) {
exception.printStackTrace();
}
}
}
Compile the app
Run the following which will produce a Java class file SSLPoke.class
javac SSLPoke.java
Run the app
java SSLPoke <hostname> <port>
# e.g. java SSLPoke google.com 443
A message saying Successfully connected means the https connection is trusted, otherwise an exception will be printed.
Upvotes: 0
Reputation: 2074
You can inspect (list) certificates in your cacert keystore using the Java keytool command.
keytool -list -v -keystore /path/to/cacerts
keytool has to be in your path, or can be found in the bin directory of your Java installation (e.g. C:/Program Files (x86)/Java/jre1.8/bin/keytool.exe).
Upvotes: 39
Reputation: 485
A simple approach to list certificates in cacerts is
keytool -v -list -cacerts -storepass changeit
Upvotes: 12
Reputation: 310893
Just try to connect to it with URL and HttpsURLConnection, going at least as far as getting the response code, and no fancy trust managers or anything. If it's trusted, you won't have a problem.
Your terminology is astray. All certificates are public. If it's a CA-signed certificate, signed by a CA whose certificate is in cacerts, you don't need to import it.
Upvotes: 5
Related Questions
- How to bypass ssl certificate checking in java
- which cacert is in use?
- How to load SSL Certificate in Java
- How can I inspect a HTTPS certificate before making a connection
- How to check if X509Certificate is CA certificate?
- How to trust a certificate authority in Java?
- How to check whether a certificate is present in a keystore
- Check whether the certificate is valid or not
- Checking for CA's certificate before entering a certificate?
- How can I verify that a certificate is an EV certificate with Java?