Verse Of The Day

Wednesday, July 16, 2008

Making Your JVM Trust Those SSL Certificates

Guess I should follow-up with a "part 2" on yesterday's post about saving off SSL certificates. The whole point of me going through the exercise was that one of the web services we consume is SSL and the certificate expired. The new certificate was self-signed, so our Java code threw exceptions saying a trusted certificate was not found.

So the second step for me was to import them so my JVM(s) would recognize the certificate as "trusted".

To get your JVM to trust the certificate, you import it into your keystore using the keytool executable (found in your JDK bin directory):
[jboss@j2apptest01 bin]$ ./keytool -import -alias SomeWebserviceName -file ~/SomeCertificateFileName.CER
If the keystore does not exist yet, the tool will prompt you to enter a keystore password. Remember that password, as you will need to use it to import new certificates or export or view current ones.

It will then display all the keys and other info about the certificate and ask you to confirm that you really want to import. You will want to verify the keys match up to what you think you are importing, of course. Then type "yes" and it should tell you the certificate was added.

After that, our calls to the web service started to ork again, like magic.

No comments: