59

I have a server with a self-signed certificate, but also requires client side cert authentication. I am having a rough time trying to get the raw CA server cert so I can import it into a keystore. Anyone have some suggestions on how to easily do that?

Improve this question

5 Answers 5

Reset to default
101

Was looking at how to trust a certificate while using jenkins cli, and found https://issues.jenkins-ci.org/browse/JENKINS-12629 which has some recipe for that.

This will give you the certificate:

openssl s_client -connect ${HOST}:${PORT} </dev/null

if you are interested only in the certificate part, cut it out by piping it to:

| sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'

and redirect to a file:

> ${HOST}.cert

Then import it using keytool:

keytool -import -noprompt -trustcacerts -alias ${HOST} -file ${HOST}.cert \
    -keystore ${KEYSTOREFILE} -storepass ${KEYSTOREPASS}

In one go:

HOST=myhost.example.com
PORT=443
KEYSTOREFILE=dest_keystore
KEYSTOREPASS=changeme

# get the SSL certificate
openssl s_client -connect ${HOST}:${PORT} </dev/null \
    | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ${HOST}.cert

# create a keystore and import certificate
keytool -import -noprompt -trustcacerts \
    -alias ${HOST} -file ${HOST}.cert \
    -keystore ${KEYSTOREFILE} -storepass ${KEYSTOREPASS}

# verify we've got it.
keytool -list -v -keystore ${KEYSTOREFILE} -storepass ${KEYSTOREPASS} -alias ${HOST}
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Can I put HOST=*.example.com ?
For me, KEYSTOREPASS=changeit not 'changeme'
Beginning with j7 in 2012, keytool (and CertificateFactory generally) ignores extraneous text in a PEM file for a cert, so you don't need the sed. Also with -noprompt and -storepass you can pipe with no temp file: openssl s_client -connect host:port | keytool -import -noprompt -alias nm -keystore file -storepass pw
37

I use openssl, but if you prefer not to, or are on a system (particularly Windows) that doesn't have it, since java 7 in 2011 keytool can do the whole job:

 keytool -printcert -sslserver host[:port] -rfc >tempfile
 keytool -import [-noprompt] -alias nm -keystore file [-storepass pw] [-storetype ty] <tempfile 
 # or with noprompt and storepass (so nothing on stdin besides the cert) piping works:
 keytool -printcert -sslserver host[:port] -rfc | keytool -import -noprompt -alias nm -keystore file -storepass pw [-storetype ty]

Conversely, for java 9 up always, and for earlier versions in many cases, Java can use a PKCS12 file for a keystore instead of the traditional JKS file, and OpenSSL can create a PKCS12 without any assistance from keytool:

openssl s_client -connect host:port </dev/null | openssl pkcs12 -export -nokeys [-caname nm] [-passout option] -out p12file
# <NUL on Windows
# default is to prompt for password, but -passout supports several options 
# including actual value, envvar, or file; see the openssl(1ssl) man page

BUT (as I apparently hadn't yet found in 2018) this won't work as a truststore with 'standard' (Oracle/OpenJDK) Java crypto because that requires trusted cert(s) in a PKCS12 to have a special attribute OpenSSL doesn't know about. This does work if you install and use the BouncyCastle provider and specify the storetype which can affect (maybe break) other things, AND you specify 'friendly' name(s) with -caname. (corrected: -caname not -name or nm)

Improve this answer

3 Comments

Nice to know, thanks! But it is a similar option than to install keytool :)
thanks a lot for this, I was looking for an option without using openssl and this did the trick beautifully :)
All other answers should redirect to this first. This is the concise way among others. Consider applying other answers in a container environment.
23

There were a few ways I found to do this:

    java InstallCert [host]:[port] 
    keytool -exportcert -keystore jssecacerts -storepass changeit -file output.cert
    keytool -importcert -keystore [DESTINATION_KEYSTORE] -file output.cert
Improve this answer

2 Comments

I've used Andreas Sterbenz's InstallCert class before too, its useful if you need a certificate for a host which doesn't accept HTTP GET requests
thanks wuntee, it helped me alot, because I got stock here: stackoverflow.com/questions/9210514/… :D ty
4

You can export a certificate using Firefox, this site has instructions. Then you use keytool to add the certificate.

Improve this answer

Comments

4

Just expose dnozay's answer to a function so that we can import multiple certificates at the same time.

Save it to a .sh file then run it.

#!/usr/bin/env sh

KEYSTORE_FILE=/path/to/keystore.jks
KEYSTORE_PASS=changeit


import_cert() {
  local HOST=$1
  local PORT=$2

  if [[ -z $PORT ]]; then
    PORT=443
  fi

  # get the SSL certificate
  openssl s_client -connect ${HOST}:${PORT} </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ${HOST}.cert

  # delete the old alias and then import the new one
  keytool -delete -keystore ${KEYSTORE_FILE} -storepass ${KEYSTORE_PASS} -alias ${HOST} &> /dev/null

  # create a keystore (or update) and import certificate
  keytool -import -noprompt -trustcacerts \
      -alias ${HOST} -file ${HOST}.cert \
      -keystore ${KEYSTORE_FILE} -storepass ${KEYSTORE_PASS}

  # remove temp file
  rm ${HOST}.cert
}

# Change your sites here
import_cert stackoverflow.com 443
import_cert www.google.com # default port 443
import_cert 172.217.194.104 443 # google
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.