Thursday, January 9, 2014

InstallCert.java - console app that allows you to get and download ssl keys from webservice you're trying to work with

Recently i was working on one of my Test Frameworks for API and i had to work with https. I faced with : 
javax.net.ssl.SSLHandshakeException: 
   sun.security.validator.ValidatorException: PKIX path building failed: 
   sun.security.provider.certpath.SunCertPathBuilderException: 
   unable to find valid certification path to requested target
 
Caused by: sun.security.validator.ValidatorException: 
   PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: 
   unable to find valid certification path to requested target
 
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: 
   unable to find valid certification path to requested target
exception during their execution. The reason was that i was working with dev server that has self signed certificate, which was absent in my local keystore. So, i googled a little bit and found this nice Java console app that allowed you in a very simple manner get a certificate. But in my case i need to use Proxy sometimes and that's why i decided to improve this app and add proxying possibilities to it. Final result can be found here    
Here's how it works : The most simple way is 
java InstallCert host=google.com
In this case InstallCert will look for ssl certificates on https://google.com:443. Here's it's output 
host = google.com
Connecting to address without enabled proxy settings.
Loading KeyStore C:\Program Files\Java\jre7\lib\security\cacerts...
Opening connection to google.com:443...
Starting SSL handshake...

No errors, certificate is already trusted

Server sent 3 certificate(s):

 1 Subject CN=*.google.com, O=Google Inc, L=Mountain View, ST=California, C=US
   Issuer  CN=Google Internet Authority G2, O=Google Inc, C=US
   sha1    3c 6b de 6c a0 a1 ae 6a e9 d5 bf b3 67 ab 12 4e 1b 98 8b fb
   md5     27 91 da c0 73 30 85 db e3 23 ef 7d 6f aa 7f cd

 2 Subject CN=Google Internet Authority G2, O=Google Inc, C=US
   Issuer  CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
   sha1    d8 3c 1a 7f 4d 04 46 bb 20 81 b8 1a 16 70 f8 18 34 51 ca 24
   md5     9e 4a c9 64 74 24 51 29 d9 76 67 00 41 2a 1f 89

 3 Subject CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
   Issuer  OU=Equifax Secure Certificate Authority, O=Equifax, C=US
   sha1    73 59 75 5c 6d f9 a0 ab c3 06 0b ce 36 95 64 c8 ec 45 42 a3
   md5     2e 7d b2 a3 1d 0e 3d a4 b2 5f 49 b9 54 2a 2e 1a

Enter certificate to add to trusted keystore or 'q' to quit: [1]
You simply press 1 and hit Enter button. As a result, you'll have your certificate added to your default keystore 
[
[
  Version: V3
  Subject: CN=*.google.com, O=Google Inc, L=Mountain View, ST=California
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun EC public key, 256 bits
  public x coord: 656756547611416355835880201008930358845723006450213197
628251447943028
  public y coord: 396827319974765304927937356957360152389742209992235777
66752587796918
  parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.
  Validity: [From: Wed Dec 11 13:34:50 CET 2013,
               To: Thu Apr 10 02:00:00 CEST 2014]
  Issuer: CN=Google Internet Authority G2, O=Google Inc, C=US
  SerialNumber: [    4445eb4c d2c191ad]

Certificate Extensions: 9
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: caIssuers
   accessLocation: URIName: http://pki.google.com/GIAG2.crt
,
   accessMethod: ocsp
   accessLocation: URIName: http://clients1.google.com/ocsp
]
]
...

[9]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 4E A2 DC AC DF 9C 45 35   DE A0 F7 C1 0A A6 88 19  N.....E5.......
0010: B7 6B D1 F7                                        .k..
]
]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 71 BD 84 65 33 2E 28 65   AB 5D 2A C8 1F 38 47 9A  q..e3.(e.]*..8G
0010: 43 DF BF 49 70 45 56 4C   D9 D8 31 67 53 B5 82 40  C..IpEVL..1gS..
0020: 4B BE D4 61 39 82 A7 25   7A 7F 27 B9 AE F0 1F 32  K..a9..%z.'....
0030: 38 1E 7B 32 C9 8A A1 8E   C6 66 5B 45 96 85 25 FB  8..2.....f[E..%
0040: DB D7 05 9B 40 1B 44 DC   8D 19 2D 94 0F FE 0B 67  ....@.D...-....
0050: E9 7D 8F 2B 93 50 B4 51   DF D0 97 4A A1 73 B3 46  ...+.P.Q...J.s.
0060: 26 A8 E7 21 20 5D 5E 86   5D C2 1B D9 0B B9 E5 95  &..! ]^.]......
0070: FE 87 2F 2A 99 B1 3D 8D   F9 59 A6 B6 0B A4 A4 91  ../*..=..Y.....
0080: 81 4E EA 03 8F 6C 42 18   89 27 2C 88 C6 E9 50 A9  .N...lB..',...P
0090: 45 69 1E 82 BD 22 48 2B   A0 5C E9 37 86 51 CD 57  Ei..."H+.\.7.Q.
00A0: 8B C6 ED 7E FE E7 B6 F8   FC 82 9E AE E5 9D 1E 74  ...............
00B0: 18 5C 34 4C 2B 7A C5 3C   C1 9B D5 AF F3 33 6C E8  .\4L+z.<.....3l
00C0: AE 94 B1 3A 0B CD BD EF   9D 75 46 BD 91 F0 C0 55  ...:.....uF....
00D0: D2 87 46 5B AF 8B A1 9A   0F 8E 06 C4 F1 42 7C AB  ..F[.........B.
00E0: 58 79 59 A5 F3 4D 98 6C   8C 97 93 B0 0E 8E A1 3E  XyY..M.l.......
00F0: BF 11 83 D0 95 22 27 69   6A E8 66 84 8C 59 0D 49  ....."'ij.f..Y.

]

Added certificate to keystore 'cacerts' using alias 'google.com-1'
To check that everything went well you can run this command again and you should see : 
Opening connection to google.com:443...
Starting SSL handshake...

No errors, certificate is already trusted
Besides that you can also specify :
  • Host port. If it's not standart 443 then you need to add to your command hostPort=[portNumber]
  • If you would like to address your request through proxy first, then you need to specify proxyHost=[hostName] proxyPort=[portNumber]
  • If your keystore has non-default password then passphrase=[passphrase] should be also added to the command. That's it :)
    • Posted by at

    2 comments:

    1. UnknownNovember 13, 2014 at 7:47 PM

      I'm attempting to follow the instructions on this page: http://www.mkyong.com/webservices/jax-ws/suncertpathbuilderexception-unable-to-find-valid-certification-path-to-requested-target/ to create a certificate for my localhost in which to do some development testing.
      When running InstallCert for localhost:8443, the following two certificates are generated:

      Server sent 2 certificate(s):

      1 Subject CN=localhost4.localdomain4, O=example.com, C=US Issuer CN=Certificate Shack, O=example.com, C=US sha1 f4 2a a9 09 32 a6 ee 41 9d 9c 44 e6 4a bc 31 79 17 cb 88 fd md5 e0 78 65 83 30 33 78 c5 80 17 e7 7a a2 91 85 52

      2 Subject CN=Certificate Shack, O=example.com, C=US Issuer CN=Certificate Shack, O=example.com, C=US sha1 b8 87 d6 2d ac d8 36 06 7c 58 68 10 3e 21 39 6a a0 33 a1 25 md5 07 24 57 5f f8 35 1e 97 70 ff 54 aa 13 e6 6b 12

      The trouble is that my system needs the CN to be localhost. I have no idea where the localhost4.localdomain4 comes from. How can I change this to be simply localhost?





      Reference: Console App Java Barcode Reader InstallCert.java Webservice

      ReplyDelete
      Replies
      1. UnknownNovember 14, 2014 at 3:56 AM

        I assume that you already got the answer ?:) http://stackoverflow.com/questions/23665426/where-does-installcert-java-get-the-server-certificates

        Delete

    Subscribe to: Post Comments (Atom)