10

I use SSL to communicate between two components written in Java. I can't use a CA, so I have to self-sign everything. Unfortunately, this means that when I try to handshake, I get a SunCertPathBuilderException. I can create my own X509TrustManager that just trusts everything, but that sort of defeats the purpose of having a signed cert.

I would like, when first making the connection, to prompt the user with "SSL handshake with invalid cert. Add cert to store?" or something so they could have it added for them to their certificate store, like web browsers do at sites with invalid certs. I can find plenty of examples online of adding a cert to the store through the commandline, but I can't figure out how to do it programmatically. Is there a way to do this?

Improve this question
2
  • In my case, the missing piece ended up being to use stackoverflow.com/a/5488964/513038 to generate an X509Certificate from the KeyPair I had, then use truststore.setEntry("dummy", new KeyStore.TrustedCertificateEntry(cert), null); rather than setKeyEntry. (I'd been getting errors like "KeyStoreException: Key protection algorithm not found ... Unsupported key type".) If you already have a cert, like for a remote partner negotiating a connection, you should be able to use that cert in TrustedCertificateEntry(cert) instead of generating your own. Commented Jan 4, 2022 at 6:50
  • I cobbled together code from many sources to do what you're doing, and then some - programmatically generate certs on both sides, open a TLS connection, ask the user on both sides to trust the other, and if so, add the other's cert to a truststore for use in the future. github.com/Erhannis/TlsChannelTest Commented Jan 5, 2022 at 2:13

3 Answers 3

Reset to default
5

Yes it is possible.

There is some code here that I've used before. I had to modify it to do what I wanted and I suspect that you will too but this should get you close - you aren't trying to import a key so theoretically you should be able to simplify things. In any case you can get an idea of what you'll need.

The JDK JavaDoc for java.security.KeyStore is pretty useful too.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Why don't you create your own CA and sign your certificates with that? Then all you would need to do is install the CA own certificate on the machines and every certificate signed by that CA would validate.

Improve this answer

1 Comment

Because every user will run their own server and needs their own certificate for authentication (so one is distinguishable from another). I suppose I could create a CA, but that would greatly complication the installation procedure, requiring the user to make cert production requests to me.
0

Why would you need to do this, you are not validating that the client is who they say they are you are only using the certs to encrypt the comms, so a custom trust manager that allows all certs is all you need. What you are asking is possible and from memory also involves a custom trust manager to validate the certificates and store them in the keystore. I can't remember the details, but at least you know it is possible to do it.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.