Movatterモバイル変換

[0]ホーム
URL:

Understanding & Working with SSL certificates

In happy days, everything works just fine. At times, when working with SSL related topics it will be challenging get things right. The main reasons could be one of these

  • Certificate expired
  • Self-Signed Certificate used
  • Internal Certificate Authrority used

We can find many simulated ssl found in https://badssl.com/

These reasons could result in error in estabilishing connection.

Understanding the certificate

We can verify the validity of SSL certificate of a url by checking the lock icon on your browswer when accessing it.

When the url publically available, we can check the certificate using https://www.sslshopper.com/ssl-checker.html

For example try checking https://expired.badssl.com/ withssl-checker

Note: if your organization uses ssl rewriting and internal Certificate Authrity, it gets tricky and the best resource you have is commandline tools like curl, openssl, keytool.

mahendran@mm-lab ~ % curl https://expired.badssl.com/curl: (60) SSL certificate problem: certificate has expiredMore details here: https://curl.haxx.se/docs/sslcerts.htmlcurl failed to verify the legitimacy of the server and therefore could notestablish a secure connection to it. To learn more about this situation andhow to fix it, please visit the web page mentioned above.

Note: curl will give the reason atSSL certificate problem. Try accessing every problematic url available in https://badssl.com/.

In openssl we can see theverify andCertificate chain sections which gives similar information as ssl-checker web tool.

mahendran@mm-lab ~ % openssl s_client -showcerts -connect expired.badssl.com:443 </dev/null 2>&1CONNECTED(00000005)depth=0 C = US, ST = California, L = San Francisco, O = BadSSL Fallback. Unknown subdomain or no SNI., CN = badssl-fallback-unknown-subdomain-or-no-sniverify error:num=20:unable to get local issuer certificateverify return:1depth=0 C = US, ST = California, L = San Francisco, O = BadSSL Fallback. Unknown subdomain or no SNI., CN = badssl-fallback-unknown-subdomain-or-no-sniverify error:num=21:unable to verify the first certificateverify return:1---Certificate chain 0 s:/C=US/ST=California/L=San Francisco/O=BadSSL Fallback. Unknown subdomain or no SNI./CN=badssl-fallback-unknown-subdomain-or-no-sni   i:/C=US/ST=California/L=San Francisco/O=BadSSL/CN=BadSSL Intermediate Certificate Authority-----BEGIN CERTIFICATE-----MIIE8DCCAtigAwIBAgIJAM28Wkrsl2exMA0GCSqGSIb3DQEBCwUAMH8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ8wDQYDVQQKDAZCYWRTU0wxMjAwBgNVBAMMKUJhZFNTTCBJbnRlcm1lZGlhdGUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE2MDgwODIxMTcwNVoXDTE4MDgwODIxMTcwNVowgagxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMTYwNAYDVQQKDC1CYWRTU0wgRmFsbGJhY2suIFVua25vd24gc3ViZG9tYWluIG9yIG5vIFNOSS4xNDAyBgNVBAMMK2JhZHNzbC1mYWxsYmFjay11bmtub3duLXN1YmRvbWFpbi1vci1uby1zbmkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCBOz4jO4EwrPYUNVwWMyTGOtcqGhJsCK1+ZWesSssdj5swEtgTEzqsrTAD4C2sPlyyYYC+VxBXRMrf3HES7zplC5QN6ZnHGGM9kFCxUbTFocnn3TrCp0RUiYhc2yETHlV5NFr6AY9SBVSrbMo26r/bv9glUp3aznxJNExtt1NwMT8U7ltQq21fP6u9RXSM0jnInHHwhR6bCjqN0rf6my1crR+WqIW3GmxV0TbChKr3sMPR3RcQSLhmvkbk+atIgYpLrG6SRwMJ56j+4v3QHIArJII2YxXhFOBBcvm/mtUmEAnhccQu3Nw72kYQQdFVXz5ZD89LMOpfOuTGkyG0cqFAgMBAAGjRTBDMAkGA1UdEwQCMAAwNgYDVR0RBC8wLYIrYmFkc3NsLWZhbGxiYWNrLXVua25vd24tc3ViZG9tYWluLW9yLW5vLXNuaTANBgkqhkiG9w0BAQsFAAOCAgEAsuFs0K86D2IB20nBQNb+4vs2Z6kECmVUuD0vEUBR/dovFE4PfzTr6uUwRoRdjToewx9VCwvTL7toq3ddoOwHakRjoxvq+lKvPq+0FMTlKYRjOL6Cq3wZNcsyiTYr7odyKbZs383rEBbcNu0Nc666/ozs4y4W7ufeMFrKak9UenrrPlUe0nrEHV3IMSF32iV85nXm95f7aLFvM6LmEzAGgWopuRqD+J0QEt3WNODWqBSZ9EYyx9l2l+KI1QcMalG20QXuxDNHmTEzMaCj4Zl8k0szexR8rbcQEgJ9J+izxsecLRVp70siGEYDkhq0DgIDOjmmu8ath4yznX6ApYEGtYTDUxIvsWxwkraBBJAfVxkp2OSg7DiZEVlMM8QxbSeLCz+63kE/d5iJfqdecGqX7rKEsVW4VLfHPF8sfCyXVi5sWrXrDvJm3zx2b3XToU7EbNONO1C85NsUOWy4JccoiguV8V6C723IgzkSgJMlpblJ6FVxC6ZX5XJ0ZsMI9TIjibM2L1Z9DkWRCT6DQjuKbYUeURhScofQBiIx73V7VXnFoc1qHAUd/pGhfkCUnUcuBV1SzCEhjiwjnVKxHJKvc9OYjJD0ZuvZw9gBrY7qKyBX8g+sglEGFNhruH8/OhqrV8pBXX/EWY0fUZThiywmc6GTT7X94Ze2F7iB45jh7WQ=-----END CERTIFICATE--------Server certificatesubject=/C=US/ST=California/L=San Francisco/O=BadSSL Fallback. Unknown subdomain or no SNI./CN=badssl-fallback-unknown-subdomain-or-no-sniissuer=/C=US/ST=California/L=San Francisco/O=BadSSL/CN=BadSSL Intermediate Certificate Authority---No client certificate CA names sentServer Temp Key: ECDH, P-256, 256 bits---SSL handshake has read 1938 bytes and written 322 bytes---New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256Server public key is 2048 bitSecure Renegotiation IS supportedCompression: NONEExpansion: NONENo ALPN negotiatedSSL-Session:    Protocol  : TLSv1.2    Cipher    : ECDHE-RSA-AES128-GCM-SHA256    Session-ID: 2C93EBF68CE24C130CC33C3790D9DF258DFC3639F4308F5E827F448D7FE71235    Session-ID-ctx:     Master-Key: 7022726C17ECF53A7578455B007A930DE4D084F535CDA411975A8C596547F359C9B264C1D6663BBE91ADF2AA203AF7DB    TLS session ticket lifetime hint: 300 (seconds)    TLS session ticket:    0000 - 5b d5 ed df 6b dc 79 68-af a2 3e 33 a2 72 4a fe   [...k.yh..>3.rJ.    0010 - 9a 52 1c 41 c5 88 ba 1f-07 f3 6c 0d 01 02 38 e8   .R.A......l...8.    0020 - e1 ef 0b d3 54 ab 06 e5-a1 bd 04 59 46 8b 1d 59   ....T......YF..Y    0030 - ec 75 25 68 14 bb 8d 0b-87 32 4d 69 64 d7 30 bf   .u%h.....2Mid.0.    0040 - ae b7 68 fe b0 c0 49 48-ec 48 68 f7 72 07 fb d3   ..h...IH.Hh.r...    0050 - 4b dc 69 ca 55 5e 25 c7-c0 c1 31 1d 8c 32 d8 48   K.i.U^%...1..2.H    0060 - 41 fa a2 e5 9e cb a1 b8-8a 79 51 99 72 4d 29 0a   A........yQ.rM).    0070 - 84 da 26 1a cc f5 2d 7e-e7 1b 7d 54 f6 8d 8f b0   ..&...-~..}T....    0080 - b7 bc 30 e7 c7 6f 48 93-08 e7 e0 4b c9 95 b6 a6   ..0..oH....K....    0090 - 66 92 a5 c9 ff 17 8c 31-35 2f e9 4e 97 59 90 10   f......15/.N.Y..    00a0 - 84 3a b9 01 d0 53 bc 02-34 bf b6 03 4a 51 84 9e   .:...S..4...JQ..    Start Time: 1633780796    Timeout   : 7200 (sec)    Verify return code: 21 (unable to verify the first certificate)---poll error%

To extract just the certificate from url…

mahendran@mm-lab ~ % openssl s_client -showcerts -connect expired.badssl.com:443 </dev/null 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > expired-badssl.crt

To view the details of a certificate likessl-decoder

Note theValidity

mahendran@mm-lab ~ % openssl x509 -in expired-badssl.crt -text -nooutCertificate:    Data:        Version: 3 (0x2)        Serial Number: 14824823351240255409 (0xcdbc5a4aec9767b1)    Signature Algorithm: sha256WithRSAEncryption        Issuer: C=US, ST=California, L=San Francisco, O=BadSSL, CN=BadSSL Intermediate Certificate Authority        Validity            Not Before: Aug  8 21:17:05 2016 GMT            Not After : Aug  8 21:17:05 2018 GMT        Subject: C=US, ST=California, L=San Francisco, O=BadSSL Fallback. Unknown subdomain or no SNI., CN=badssl-fallback-unknown-subdomain-or-no-sni        Subject Public Key Info:            Public Key Algorithm: rsaEncryption                Public-Key: (2048 bit)                Modulus:                    00:c2:04:ec:f8:8c:ee:04:c2:b3:d8:50:d5:70:58:                    cc:93:18:eb:5c:a8:68:49:b0:22:b5:f9:95:9e:b1:                    2b:2c:76:3e:6c:c0:4b:60:4c:4c:ea:b2:b4:c0:0f:                    80:b6:b0:f9:72:c9:86:02:f9:5c:41:5d:13:2b:7f:                    71:c4:4b:bc:e9:94:2e:50:37:a6:67:1c:61:8c:f6:                    41:42:c5:46:d3:16:87:27:9f:74:eb:0a:9d:11:52:                    26:21:73:6c:84:4c:79:55:e4:d1:6b:e8:06:3d:48:                    15:52:ad:b3:28:db:aa:ff:6e:ff:60:95:4a:77:6b:                    39:f1:24:d1:31:b6:dd:4d:c0:c4:fc:53:b9:6d:42:                    ad:b5:7c:fe:ae:f5:15:d2:33:48:e7:22:71:c7:c2:                    14:7a:6c:28:ea:37:4a:df:ea:6c:b5:72:b4:7e:5a:                    a2:16:dc:69:b1:57:44:db:0a:12:ab:de:c3:0f:47:                    74:5c:41:22:e1:9a:f9:1b:93:e6:ad:22:06:29:2e:                    b1:ba:49:1c:0c:27:9e:a3:fb:8b:f7:40:72:00:ac:                    92:08:d9:8c:57:84:53:81:05:cb:e6:fe:6b:54:98:                    40:27:85:c7:10:bb:73:70:ef:69:18:41:07:45:55:                    7c:f9:64:3f:3d:2c:c3:a9:7c:eb:93:1a:4c:86:d1:                    ca:85                Exponent: 65537 (0x10001)        X509v3 extensions:            X509v3 Basic Constraints:                 CA:FALSE            X509v3 Subject Alternative Name:                 DNS:badssl-fallback-unknown-subdomain-or-no-sni    Signature Algorithm: sha256WithRSAEncryption         b2:e1:6c:d0:af:3a:0f:62:01:db:49:c1:40:d6:fe:e2:fb:36:         67:a9:04:0a:65:54:b8:3d:2f:11:40:51:fd:da:2f:14:4e:0f:         7f:34:eb:ea:e5:30:46:84:5d:8d:3a:1e:c3:1f:55:0b:0b:d3:         2f:bb:68:ab:77:5d:a0:ec:07:6a:44:63:a3:1b:ea:fa:52:af:         3e:af:b4:14:c4:e5:29:84:63:38:be:82:ab:7c:19:35:cb:32:         89:36:2b:ee:87:72:29:b6:6c:df:cd:eb:10:16:dc:36:ed:0d:         73:ae:ba:fe:8c:ec:e3:2e:16:ee:e7:de:30:5a:ca:6a:4f:54:         7a:7a:eb:3e:55:1e:d2:7a:c4:1d:5d:c8:31:21:77:da:25:7c:         e6:75:e6:f7:97:fb:68:b1:6f:33:a2:e6:13:30:06:81:6a:29:         b9:1a:83:f8:9d:10:12:dd:d6:34:e0:d6:a8:14:99:f4:46:32:         c7:d9:76:97:e2:88:d5:07:0c:6a:51:b6:d1:05:ee:c4:33:47:         99:31:33:31:a0:a3:e1:99:7c:93:4b:33:7b:14:7c:ad:b7:10:         12:02:7d:27:e8:b3:c6:c7:9c:2d:15:69:ef:4b:22:18:46:03:         92:1a:b4:0e:02:03:3a:39:a6:bb:c6:ad:87:8c:b3:9d:7e:80:         a5:81:06:b5:84:c3:53:12:2f:b1:6c:70:92:b6:81:04:90:1f:         57:19:29:d8:e4:a0:ec:38:99:11:59:4c:33:c4:31:6d:27:8b:         0b:3f:ba:de:41:3f:77:98:89:7e:a7:5e:70:6a:97:ee:b2:84:         b1:55:b8:54:b7:c7:3c:5f:2c:7c:2c:97:56:2e:6c:5a:b5:eb:         0e:f2:66:df:3c:76:6f:75:d3:a1:4e:c4:6c:d3:8d:3b:50:bc:         e4:db:14:39:6c:b8:25:c7:28:8a:0b:95:f1:5e:82:ef:6d:c8:         83:39:12:80:93:25:a5:b9:49:e8:55:71:0b:a6:57:e5:72:74:         66:c3:08:f5:32:23:89:b3:36:2f:56:7d:0e:45:91:09:3e:83:         42:3b:8a:6d:85:1e:51:18:52:72:87:d0:06:22:31:ef:75:7b:         55:79:c5:a1:cd:6a:1c:05:1d:fe:91:a1:7e:40:94:9d:47:2e:         05:5d:52:cc:21:21:8e:2c:23:9d:52:b1:1c:92:af:73:d3:98:         8c:90:f4:66:eb:d9:c3:d8:01:ad:8e:ea:2b:20:57:f2:0f:ac:         82:51:06:14:d8:6b:b8:7f:3f:3a:1a:ab:57:ca:41:5d:7f:c4:         59:8d:1f:51:94:e1:8b:2c:26:73:a1:93:4f:b5:fd:e1:97:b6:         17:b8:81:e3:98:e1:ed:64mahendran@mm-lab ~ %

Sometimes when a LoadBalancer which manages the certificate involved between client and server, we may need to pass theservername so that LoadBalancer returns the right certificate associated with it.

mahendran@mm-lab ~ % nslookup expired.badssl.comServer:192.168.1.1Address:192.168.1.1#53Non-authoritative answer:Name:expired.badssl.comAddress: 104.154.89.105mahendran@mm-lab ~ % openssl s_client -showcerts -connect 104.154.89.105:443 -servername expired.badssl.com </dev/null 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > expired-badssl.crt

Certificate Verification process

To have a SSO communication, server needs to equiped with a asymmetric based encryption keys. Also server works with Certificate Authroity to get a certificate which contains the public key, validity certificate authority chain and signature.

These days getting ssl certificate is much easier and even free of cost. So use of self-signed certificate discouraged. When using self-signed, try explaining to a peer / infrastructure engineer who may be able to agree or provide solution.

During the connection process, server sends the certificate to client and its clients resoponsibility to validate the certifcate and decide whether to trust this channel or not.

Client is equiped with a list of Certificate Authority (CA) which we call trust store.

Client does…

  • check validity of the certs
  • finds the certificate chain

  • it follows the certificate chain and checks if that issuer already in the trusted list. When it is not, it goes up in the chain until it finds a trusted CA. During this process, it also checks the validity of CA.

    Note

    Certificate chain contains multiple certs indexed to represent the order of chain. In that one end is the server certificate and another end is called “Root CA”. All inbetween called “Intermediary CA”.

Now we can detect expired certificates, self-signed certificates or having a certificate chain where client trust anyone of them

How to trust a new certificate or Certificate Authority (DO NOT TRUST WHEN YOU DON’T KNOW THE CA)

Mostly trusting ceritifcate is required during development process when self signed certificate used. As said earlier try avoiding it.

Requirement to add new CA comes only when the clients trust store really old and not managed/monitored by infrastructure/cyber security team. Adding a CA to trust means lot for cyber security perspective. Please consult and verify the CA.

It is normal organizaton to have intermediatory CA which needs to be added to all kinds of clients trust store. It will be done by the infrastructure level using tools likeupdate-ca-certificates in linux. This tool will apply the CA in the system in differnt format which is used by differnt programming methods (java/curl/python/browser). Those files called like cacerts, pem, nssdb etc.,

Let’s assume your organization has its own internal Root CA and your client program not aware of this CA. It will result problem like what you see while using https://untrusted-root.badssl.com/

Let’s leave theupdate-ca-certificates command execution to the infrastructure engineer.

Let’s see how to add a certificate to specific trust store. Also to remove it as well.

Managing Java cacerts

Java keeps the trusted CA list in a file calledcacerts. This file comes with the install under $JAVA_HOME/jre/lib/security directory. It contains almost all legitimate root CAs at the time of release.

Sometimes, when installed by installer or managed by infrastructure cacerts will be linked to the location where it is maintained (by infrastructure team and maybe by update-ca-certificate tool)

When managed by infrastructure team, most likely you will not have permission to edit this file. Situation gets tricky.

This is when application developer takes shortcut and copy the file and place it somewhere he/she can edit and configure java program to use it by spefifying system propertyjavax.net.ssl.trustStore. This works but missing the infrastructure updates like change in interal CA changes.

you can run this script injshell and seePKIX error appearing. This tells that java client does not trust the server to open connection

import java.net.http.HttpClient;import java.net.http.HttpRequest;import java.net.http.HttpResponse;System.setProperty("javax.net.debug", "all");var request = HttpRequest.newBuilder(URI.create("https://untrusted-root.badssl.com/")).GET().build();var client = HttpClient.newHttpClient();var body = client.send(request, HttpResponse.BodyHandlers.ofString());

Note: Look for a log message which shows where thetrustStore is

javax.net.ssl|DEBUG|01|main|2021-10-10 08:48:53.941 EDT|TrustStoreManager.java:113|trustStore is: /Library/Java/JavaVirtualMachines/adoptopenjdk-15.jdk/Contents/Home/lib/security/cacertstrustStore type is: pkcs12trustStore provider is: the last modified time is: Tue Sep 15 12:15:49 EDT 2020

As mentioned earlier, it maynot be editable for all users

mahendran@mm-lab ~ % ls -l /Library/Java/JavaVirtualMachines/adoptopenjdk-15.jdk/Contents/Home/lib/security/       total 688-rw-r--r--  1 root  wheel    1253 Sep 15  2020 blacklisted.certs-rw-r--r--  1 root  wheel  101001 Sep 15  2020 cacerts-rw-r--r--  1 root  wheel    9525 Sep 15  2020 default.policy-rw-r--r--  1 root  wheel  232578 Sep 15  2020 public_suffix_list.dat

Let’s extract certificate from the server

openssl s_client -showcerts -connect untrusted-root.badssl.com:443  </dev/null 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > untrusted-root.badssl.com.crt

Import this certificate(s) to cacerts as trusted server. (Take a backup of cacerts before) or make a copy of cacerts file to experiment.

When you have intermidiate certs… you will see multie certificates from above command. Java keytool imports only one certificate at a time.Either you can split and use keytool import individually. Or use below scriptkeytool_import_all.sh to import them all.

#!/bin/bashPEM_FILE=$1PASSWORD=$2KEYSTORE=$3# number of certs in the PEM fileCERTS=$(grep 'END CERTIFICATE' $PEM_FILE| wc -l)# For every cert in the PEM file, extract it and import into the JKS keystore# awk command: step 1, if line is in the desired cert, print the line#              step 2, increment counter when last line of cert is foundfor N in $(seq 0 $(($CERTS - 1))); do  ALIAS="${PEM_FILE%.*}-$N"  cat $PEM_FILE |    awk "n==$N { print }; /END CERTIFICATE/ { n++ }" |    keytool -noprompt -import -trustcacerts \            -alias $ALIAS -keystore $KEYSTORE -storepass $PASSWORDdone
mahendran@mm-lab ~ % openssl s_client -showcerts -connect google.com:443  </dev/null 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > google-chain.crtmahendran@mm-lab ~ % ./keytool_import_all.sh google-chain.crt changeit ~/cacerts-with-badsslCertificate was added to keystoreCertificate was added to keystoreCertificate was added to keystoremahendran@mm-lab ~ %
mahendran@mm-lab ~ % cp /Library/Java/JavaVirtualMachines/adoptopenjdk-15.jdk/Contents/Home/lib/security/cacerts ~/adoptopenjdk-15.jdk-cacerts.originalmahendran@mm-lab ~ % keytool -importcert -alias untrusted-root.badssl -file untrusted-root.badssl.com.crt -keystore /Library/Java/JavaVirtualMachines/adoptopenjdk-15.jdk/Contents/Home/lib/security/cacerts -storepass changeit -nopromptWarning: use -cacerts option to access cacerts keystoreCertificate was added to keystorekeytool error: java.io.FileNotFoundException: /Library/Java/JavaVirtualMachines/adoptopenjdk-15.jdk/Contents/Home/lib/security/cacerts (Permission denied)mahendran@mm-lab ~ % cp /Library/Java/JavaVirtualMachines/adoptopenjdk-15.jdk/Contents/Home/lib/security/cacerts ~/cacerts-with-badssl mahendran@mm-lab ~ % keytool -importcert -alias untrusted-root.badssl -file untrusted-root.badssl.com.crt -keystore ~/cacerts-with-badssl  -storepass changeit -nopromptCertificate was added to keystoremahendran@mm-lab ~ % #Aleternative to above mahendran@mm-lab ~ % ./keytool_import_all.sh untrusted-root.badssl.com.crt changeit ~/cacerts-with-badssl
import java.net.http.HttpClient;import java.net.http.HttpRequest;import java.net.http.HttpResponse;System.setProperty("javax.net.ssl.trustStore", System.getProperty("user.home")+"/cacerts-with-badssl");System.setProperty("javax.net.ssl.trustStorePassword","changeit");System.setProperty("javax.net.debug", "all");var request = HttpRequest.newBuilder(URI.create("https://untrusted-root.badssl.com/")).GET().build();var client = HttpClient.newHttpClient();var body = client.send(request, HttpResponse.BodyHandlers.ofString());
Note: untrusted-root.badssl.com not just holding untrusted cert, it is also missing to provide information about the CA which is blocking us to trust this site. This process should work when you have all intermediate CA certificate available in the certificate chain to add it to cacerts

Explicitly mentioning cacerts path

At times we may not have the permission to move or import certificate into cacerts file. In that case we could copy existing cacerts to a place where we can have edit permission. Then import the certificate as mentioned above.

To test the application using the new cacerts file in differnt location, add following JVM parameters to the java command.changeit is the default password. In your case use your cacerts password. If it ischangeit, just a friendly advice… there is a reason why that password choosen like that :-).

java -Djavax.net.ssl.trustStore=custompath/cacerts -Djavax.net.ssl.trustStorePassword=changeit

List certs from Java cacerts

$ keytool -list -keystore cacerts -storepass changeit

Extracting certificate using Java

Sometimes due to the nature of network components (proxy, firewall, network policy, zscaller) you may be limitted to access certain url only via Java application and openssl may not help. Also you may not be get certificate of all intermediatories CAs. In that case your infrastructure team should offer the CA Root and intermediatories certificates for you to add in cacerts. Still you may face issue like PKIX failure exception.

To find which CAs causing PKIX issue or get the CAs so you can verify or add it to cacerts, we can use following code. Note: Don’t use this code in production application. Use it to figure out problem and proove what CAs missing

import java.io.FileOutputStream;import java.net.URL;import java.security.cert.Certificate;import java.security.cert.CertificateException;import java.security.cert.X509Certificate;import javax.net.ssl.HostnameVerifier;import javax.net.ssl.HttpsURLConnection;import javax.net.ssl.SSLContext;import javax.net.ssl.SSLSession;import javax.net.ssl.TrustManager;import javax.net.ssl.X509TrustManager;public class ExtractCertificate {  // Try few user from here https://badssl.com/  static String urlToExtractCertificates = "https://nvd.nist.gov";  // "https://untrusted-root.badssl.com/";  // "https://no-common-name.badssl.com/";  // TrustManager which simply accepts all certificate - Never put this code in production.  static TrustManager[] trustAllCerts = new TrustManager[] {new X509TrustManager() {    public java.security.cert.X509Certificate[] getAcceptedIssuers() {      return null;    }    public void checkClientTrusted(X509Certificate[] arg0, String arg1)        throws CertificateException {}    public void checkServerTrusted(X509Certificate[] arg0, String arg1)        throws CertificateException {}  }};  // Trust all hostnames - Never put this code in production.  static HostnameVerifier validHosts = new HostnameVerifier() {    public boolean verify(String arg0, SSLSession arg1) {      return true;    }  };  // keytool -import -alias badsslintermediate -file cert-1 -keystore cacerts -storepass changeit -noprompt  public static void main(String[] args) throws Exception {    // Build a SSL context which trust all certs.    var sslContext = SSLContext.getInstance("SSL");    sslContext.init(null, trustAllCerts, new java.security.SecureRandom());    // Use the ssl context to build HTTP connection.    HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());    HttpsURLConnection.setDefaultHostnameVerifier(validHosts);    var destinationURL = new URL(urlToExtractCertificates);    var conn = (HttpsURLConnection) destinationURL.openConnection();    conn.connect();    Certificate[] certs = conn.getServerCertificates();    System.out.println("Number of Certificates = " + certs.length);    int i = 1;    for (Certificate cert : certs) {      //System.out.println("Certificate is: " + cert);      //System.out.println(cert.getPublicKey());      //System.out.println(cert.getEncoded());      if (cert instanceof X509Certificate) {        FileOutputStream os = new FileOutputStream("cert-" + i)+".der";        os.write(cert.getEncoded());        os.close();        i++;      }    }  }}

To convert the generated DER file from above Java program you can use following command

openssl x509 -inform der -in cert-1.der

Here is an example site where openssl is not helping to extract certificate

mahendran@mm-lab ~ % openssl s_client -showcerts -connect nvd.nist.gov:443CONNECTED(00000005)4309630444:error:14004458:SSL routines:CONNECT_CR_SRVR_HELLO:tlsv1 unrecognized name:/System/Volumes/Data/SWE/macOS/BuildRoots/e90674e518/Library/Caches/com.apple.xbs/Sources/libressl/libressl-56.60.2/libressl-2.8/ssl/ssl_pkt.c:1200:SSL alert number 1124309630444:error:140040E5:SSL routines:CONNECT_CR_SRVR_HELLO:ssl handshake failure:/System/Volumes/Data/SWE/macOS/BuildRoots/e90674e518/Library/Caches/com.apple.xbs/Sources/libressl/libressl-56.60.2/libressl-2.8/ssl/ssl_pkt.c:585:---no peer certificate available---No client certificate CA names sent---SSL handshake has read 7 bytes and written 0 bytes---New, (NONE), Cipher is (NONE)Secure Renegotiation IS NOT supportedCompression: NONEExpansion: NONENo ALPN negotiatedSSL-Session:    Protocol  : TLSv1.2    Cipher    : 0000    Session-ID:     Session-ID-ctx:     Master-Key:     Start Time: 1649471502    Timeout   : 7200 (sec)    Verify return code: 0 (ok)---mahendran@mm-lab ~ %
[8]ページ先頭
©2009-2025 Movatter.jp