Exporting SSL Certificate in Linux Browser (or Linux Command Line) for Java Certificate Truststore

Question

Background:

I am having some trouble consuming a Web Service with ColdFusion 9 (peer not authenticated).

First, I'm going to try importing the cert into ColdFusion's underlying Java keystore. If that doesn't work, I'm going to try to fiddle with ColdFusion's security provider.

But my questions are more specific...

Question:

How do I export the cert (at the right level) in Chrome (or Linux CLI), and in which format?

Details

I have seen some instructions for exporting a cert from a browser, but they have been for IE (old versions, at that), and I would prefer to use Chrome, because I'm on Linux.

In order to get to the screen shot, below, I:

• Click the lock icon next to the URL
• "Connection" tab (shows "The identity of this website has been verified by Thawte SSL CA")
• Click "Certificate Information Link"
• "Details" tab

From there, I am able to export at one of four levels:

• Builtin Object Token:Thawte Premium Server CA
• thawte Primary Root CA
• Thawte SSL CA
• sb1.geolearning.com

Which one is appropriate?

Also, Adobe's documentation says "The certificate must be an X.509 certificate in Distinguished Encoding Rules (DER) format.", and Chrome's export dialog offers these options:

• Base64-encoded ASCII, single certificate
• Base64-encoded ASCII, certificate chain
• DER-encoded binary, single certificate
• PKCS #7, single certificate
• PKCS #7, certificate chain
• All Files

I assume "DER-encoded binary, single certificate" is appropriate?

Answer 1

With a Browser

The following generated a certificate that I was able to import using keytool:

• Level: sb1.geolearning.com
• File Type: DER-encoded binary, single certificate

For posterity, here was the command used to import:

sudo keytool -import -keystore /opt/jrun4/jre/lib/security/cacerts -alias "sb1.geolearning.com (Thawte SSL CA)" -storepass changeit -noprompt -trustcacerts -file ~/Downloads/sb1.geolearning.com

---

Without a Browser

Here's what I'm doing these days (in a Vagrant provisioner). In this script, the keystore is hard-coded, because I'm only using it for Lucee, at the moment; however, the path the the keystore could easily be parameterized. Also, the runfile related code is just so Vagrant doesn't run the script more than once; those lines are superfluous if you're not using the code as a Vagrant provisioner.

The only thing that really differentiates this from the above solution is that this gets the cert via openssl s_client (and cleans it up with sed) instead doing so manually, via a browser.

#!/usr/bin/env bash
set -e

description="Add cert to Lucee's keystore."

while :
do
    case $1 in
        --provisioned-dir=*)
            provisioned_dir=${1#*=}        # Delete everything up till "="
            shift
            ;;
        --runfile-name=*)
            runfile_name=${1#*=}        # Delete everything up till "="
            shift
            ;;
        --site-host-name=*)
            site_host_name=${1#*=}        # Delete everything up till "="
            shift
            ;;
        -*)
            echo "WARN: Unknown option (ignored): $1" >&2
            shift
            ;;
        *)  # no more options. Stop while loop
            break
            ;;
    esac
done

runfile="${provisioned_dir}/${runfile_name}"

if [ -f "${runfile}" ]; then
  echo "${description}: Already run."
  exit 0
fi

echo "add cert to keystore"

echo -n | \
  openssl s_client -connect ${site_host_name}:443 \
  | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' \
  > /tmp/${site_host_name}.cert

/opt/lucee/jdk/jre/bin/keytool \
  -import \
  -keystore /opt/lucee/lib/lucee-server/context/security/cacerts \
  -alias "${site_host_name} (self-signed)" \
  -storepass changeit \
  -file /tmp/${site_host_name}.cert \
  -noprompt \
  || true

touch "${runfile}"