cacerts for dummies

mbluteau

By: mbluteau

February 24, 2012 2:50 pm

Reads: 794

License:
No license, open source java

Download installcert-sslpoke.zip

After having to feed arguments into the keytool command line interface on the Windows and Linux platforms countless times, I decided to Google the web for bits and pieces of code. I found 2 useful tools, that I am attaching to this article. The source code, which can be found out there on the web, is included also in the attached zip file.

The first step, you can extract those files under $JAVA_HOME/lib/security and execute the following:

java InstallCert  server_ip:ssl_port
-------------------------
sles11SP180:/jre/lib/security # /opt/novell/idm/jre/bin/java InstallCert localhost:8443
Loading KeyStore jssecacerts...
Opening connection to localhost:8443...
Starting SSL handshake...
...
Server sent 1 certificate(s):

 1 Subject CN=Temporary Certificate, OU=iManager, O=Novell, L=, ST=, C=US
   Issuer  CN=Temporary Certificate, OU=iManager, O=Novell, L=, ST=, C=US
   sha1    c1 8e a4 a5 8e 97 47 c2 77 08 44 1e 45 7b 99 fd 23 aa d9 7d 
   md5     c8 f2 da 90 8b 87 21 9b 26 ae a2 43 d3 f0 bb c6 

Enter certificate to add to trusted keystore or 'q' to quit: [1]
-------------------------

This will create a jssecacerts file with your trusted root added to it. You can modify the source .java file and compile using javac(jdk). You can use the keytool to confirm the trusted root has been added, or just execute the InstallCert command again. Default password for keystore is changeit.

-------------------------
sles11SP180:/jre/lib/security # /opt/novell/jdk1.6.0_24/bin/keytool -list -keystore ./cacerts | grep sentinel
Enter keystore password:  changeit
sentinel.netiq.ca, Feb 20, 2012, trustedCertEntry,
-------------------------

Then you can use SSLPoke to confirm that the trusted root is trusted:

java SSLPoke server_ip ssl_port
-------------------------
sles11SP180:/jre/lib/security # /opt/novell/idm/jre/bin/java SSLPoke sentinel.netiq.ca 61616
Successfully connected
sles11SP180:/jre/lib/security # 
-------------------------

An alternative is to use a browser like Firefox and save the certificate to a file, then use keytool to import it into the keystore.

-------------------------
sles11SP180:/jre/lib/security # /opt/novell/jdk1.6.0_24/bin/keytool -importcert -v -trustcacerts -alias sentinel.netiq.ca -file ./sentinel.netiq.ca -keystore ./cacerts
-------------------------

I hope these utilities and tricks will be saving you some time, the next time you need to deal with self-signed certificates and trusted roots.

VN:D [1.9.22_1171]
Rating: 5.0/5 (1 vote cast)
cacerts for dummies, 5.0 out of 5 based on 1 rating

Tags: ,
Categories: Cool Tools, Identity Manager

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

2 Comments

  1. By:amaltsev1

    Use:
    NetBeans IDE 7.1 (Build 201112071828)
    Java: 1.7.0_03; Java HotSpot(TM) Client VM 22.1-b02

    Download, unpack and copy/past installCert.java, Build and run in the Debug(NetBeans) with Argument:
    srv.ami.ua:443

    In the DebugScreen i see:
    run:
    Loading KeyStore /home/ksr/bin/jsdk/jdk1.7.0_03/jre/lib/security/cacerts…
    Opening connection to srv.ami.ua:443…
    Starting SSL handshake…

    javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1868)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1337)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:154)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:998)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1294)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1321)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1305)
    at installcert.InstallCert.main(InstallCert.java:69)
    Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
    at sun.security.validator.Validator.validate(Validator.java:260)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:107)
    at installcert.InstallCert$SavingTrustManager.checkServerTrusted(InstallCert.java:164)
    at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:803)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1319)
    … 8 more
    Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
    … 16 more

    Server sent 2 certificate(s):

    1 Subject CN=srv.ami.ua, O=AMI
    Issuer OU=Organizational CA, O=AMI
    sha1 e3 2e f2 bc a6 68 c0 22 e7 33 5f 56 5e 55 f4 80 a0 b8 b6 45
    md5 10 dd 8f 8e 2a 14 0b f2 51 65 61 2d 8d 98 18 5f

    2 Subject OU=Organizational CA, O=AMI
    Issuer OU=Organizational CA, O=AMI
    sha1 54 5a 6b 2e c2 1b 34 43 d5 1a c8 7a ca bb 3c cf 1e a6 fa 1e
    md5 43 09 73 d2 fb 30 f7 ec 1b 21 e4 de 25 bf 95 c8

    Enter certificate to add to trusted keystore or ‘q’ to quit: [1]

    Where from this Error ?

    • By:mbluteau

      This is normal behavior until the certification path is trusted.

      By pressing Enter for :

      Enter certificate to add to trusted keystore or ‘q’ to quit: [1]

      the certificate will be trusted. Running the command again after the certificate is added to keystore will not result in seeing the error message anymore. This is what I am seeing on my systems.

Comment