01 September 2009

How to make Java SSL trust a certificate

I used the LdapLoginModule via JAAS to authenticate a user. All worked fine when using plain text. But I wanted to use SSL to encrypt the trafic to my LDAP server but got this exception:
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

The problem is that my SSL certificate on my LDAP server is self signed and my client (the one running the LdapLoginModule) cannot trust it.

To solve this problem download the certificate (I used Firefox, but Internet Explorer could probably also be used).
  1. Surf to https://myserver:myport/
  2. Press "I understand the risks" (or something like that, I'm using a Swedish firefox)
  3. Press "Add an exception"
  4. Press "Get certificate"
  5. Press "Show"
  6. Press "Details"
  7. Press "Export"
  8. Save it to disc somewhere. For example "mysslcertificate.cer"
Use the keytool command supplied with the JDK:
keytool -import -file mysslcertificate.cer -keystore mykeystore

The certificate is stored in the keystore named mykeystore in the current directory (will be created if it does not exist).

When launching the java application set the following VM parameter: javax.net.ssl.trustStore. For example:
java -Djavax.net.ssl.trustStore=mykeystore MyJavaProgram

Note: The keytool command demand that a password is set for the keystore. But the password is not required to read the certificates in the keystore (probably because certificates are considered public).

The following blog post gave me the initial help of how to do this http://blogs.sun.com/andreas/entry/no_more_unable_to_find.

No comments:

Post a Comment