Using browser's certificate in java program

Question

I am trying to make HTTP GET request using HttpURLConnection in java. When I make get using browser it says me certificate is not trusted do you want to proceed. I accept certificate and GET request get data. but i am getting certificate exception in java( given below )

What i understood from this exception is, I need to download that certificate and put this java system property berfore making GET request.

My questions are.

1. How will download this certificate from browser?
2. Can I use browser's certificate store in my java program, what do I need to know to use that?
3. If i want to install certificate in my keystore then what do I need to do?

THANKS A LOT :)

I am trying to download certificate using keytool command. I do not have any idea where certificate is stored in server, but i gave the path of server which i use in browser and browser says certificate is not trusted.

URL gatewayServiceUrl = new URL("http://192.168.55.179:56400/nwa");
        HttpURLConnection connection = (HttpURLConnection) gatewayServiceUrl.openConnection();
        connection.setRequestMethod("GET");
        connection.setRequestProperty("Authorization", getExample.getBasicAuth());
        connection.connect();
        if (HttpURLConnection.HTTP_OK == connection.getResponseCode()) {
            System.out.println("success");
            System.out.println(getExample.getDataFromStream(connection.getInputStream()));
        } else {
            System.out.println("success");
            System.out.println(getExample.getDataFromStream(connection.getErrorStream()));
        }
        System.out.println(connection.getResponseCode());






Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
    at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
    at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
    at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
    at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
    at sun.security.ssl.Handshaker.processLoop(Unknown Source)
    at sun.security.ssl.Handshaker.process_record(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(Unknown Source)
    at com.testweb.GetExample.main(GetExample.java:18)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
    at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
    at sun.security.validator.Validator.validate(Unknown Source)
    at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
    ... 12 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
    at java.security.cert.CertPathBuilder.build(Unknown Source)

Answer 1

You have to add the issuer CA's of your server certificate (or directly the server certificate in case of for example your cds is selfsigned) to the truststore in order to avoid PKIX path builder exception.

By default java truststore is on JAVA_HOME/jre/lib/security/cacerts (you can specify another trust store with javax.net.ssl.trustStore property).

To do this, first download the server certificate. You can download the server certificate for example with Chrome connecting to the server url and click on the green lock, then select the tab connection and click on certificate information:

Then save this certificate on disc.

Now you have to add this certificate to java trust store, you can do it with java keytool (if is in your path use keytool if not keytool is on JAVA_HOME/bin/keytool):

keytool -import -trustcacerts -alias myServerCertificate -file path/myServerCert.crt -keystore JAVA_HOME/jre/lib/security/cacerts

The default password for cacerts is: changeit

Hope this helps,

Answer 2

The other answers work, but I find exporting the cert in browsers to be troublesome. Here's my steps for exporting then importing the cert all from the command line: https://gist.github.com/jeffsheets/d2880dc1e2ea241b19f140c54809f750

Command to export a cert from a website to a .cer file (example uses google.com):

openssl s_client -servername google.com -connect google.com:443 </dev/null 2>/dev/null | openssl x509 -inform PEM -outform DER -out google.com.cer

Command to import into local java truststore (use your own location of JAVA_HOME)

"$JAVA_HOME"/bin/keytool -keystore "$JAVA_HOME"/jre/lib/security/cacerts -importcert -alias google.com -file google.com.cer

• default java keystore password is changeit

• if you get an update denied message, in Windows File Explorer set security on cacerts file to MODIFY for all Users (or chmod on linux)

• if keytool is not found, define a JAVA_HOME environment variable (or replace $JAVA_HOME with the full path)

Answer 3

Otherwise, Try to follow solution that you can found in this link: https://stackoverflow.com/a/3685601/2088039

You can export a certificate using Firefox, this site has instructions. Then you use keytool to add the certificate.