Issue with www.google.com SSL cert in WebSphere 6.1

Question

I'm adding Google reCaptcha v3 to my J2EE application that runs under WebSphere 6.1. (I know, its no longer supported. A software upgrade is on the plan, just not immediately.)

I've followed the steps below to add the www.google.com:443 cert to WebSphere's NodeDefaultTrustStore, and after restarting WebSphere, the SSL cert is accepted no problem. My servlet code that does the reCaptcha verify logic works fine and all is well.

However, the following day, the certificate I imported is no longer accepted. When I import it again, I see that the Fingerprint (SHA digest) is different than the previous day. It looks like Google changes their SSL cert on a daily basis. Is this true? If so, how do I get around this problem in WebSphere?

CWPKI0428I: The signer might need to be added to the local trust store. You can use the Retrieve from port option in the administrative console to retrieve the certificate and resolve the problem. If you determine that the request is trusted, complete the following steps:

1. Log into the administrative console.

2. Expand Security and click SSL certificate and key management. Under Configuration settings, click Manage endpoint security configurations.

3. Select the appropriate outbound configuration to get to the (cell):ServerNode01Cell:(node):ServerNode01 management scope.

4. Under Related Items, click Key stores and certificates and click the NodeDefaultTrustStore key store.

5. Under Additional Properties, click Signer certificates and Retrieve From Port.

6. In the Host field, enter www.google.com in the host name field, enter 443 in the Port field, and www.google.com_cert in the Alias field.

7. Click Retrieve Signer Information.

8. Verify that the certificate information is for a certificate that you can trust.

9. Click Apply and Save.

Answer 1

Here's an approach for WebSphere Liberty that might work for 6.1, I haven't tried it.

https://www.ibm.com/support/knowledgecenter/en/SSEQTP_liberty/com.ibm.websphere.wlp.doc/ae/twlp_add_trust_cert.html

Use the openssl method but take the -second- certificate in the list (which doesn't expire until 2021).

Answer 2

"Retrieve from port" adds the leaf certificate. To do something more reliable, trust the issuer. The current issuer for is GlobalSign root CA R2 which you can grab from https://pki.goog/ (GS Root R2)

Unfortunately it is hard to automate grabbing the root CA in tools like "retrieve from port" because many SSL toolkits do not send the root CA over the wire during the handshake -- because the client should already have it.