Trust CA cert without modifying keystore

[Ian Pilcher]

I am working on a program which needs to make an SSL connection to an
internal server. The server's certificate is signed by our internal
certificate authority (CA), which uses a self-signed root certificate.

All of the example I can find involve using the keytool command to make
the CA certificate generally trusted by the system. I would much prefer
to simply embed the CA certificate in the application (as a String?) and
somehow create an SSL connection which trusts only this CA certificate.

Can someone provide some pointers on how to do this?

Thanks!

 

[Ian Pilcher]

All of the example I can find involve using the keytool command to make
the CA certificate generally trusted by the system. I would much prefer
to simply embed the CA certificate in the application (as a String?) and
somehow create an SSL connection which trusts only this CA certificate.

OK, I figured it out. Here it is for posterity:

import java.security.cert.X509Certificate;
import java.security.cert.CertificateFactory;
import java.security.KeyStore;
import java.io.InputStream;
import java.io.FileImportStream;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.SSLSocket;

class MySSL
{
private static final String host = "my.host.name";
private static final int port = 443;

public static void main(String[] args) throws Exception
{
CertificateFactory cf = CertificateFactory.getInstance("X.509");
InputStream in = new FileInputStream("/my/CA/certificate.pem");
X509Certificate cert =
(X509Certificate)cf.generateCertificate(in);
in.close();
KeyStore ks = KeyStore.getInstance("jks");
ks.load(null, null);
ks.setCertificateEntry("My Certificate Authority", cert);
TrustManagerFactory tmf =
TrustManagerFactory.getInstance("PKIX");
tmf.init(ks);
SSLContext context = SSLContext.getInstance("SSL");
context.init(null, tmf.getTrustManagers(), null);
SSLSocketFactory sf = context.getSocketFactory();
SSLSocket = (SSLSocket)sf.createSocket(host, port);
socket.startHandshake();
}
}

 

[Roedy Green]

I am working on a program which needs to make an SSL connection to an
internal server. The server's certificate is signed by our internal
certificate authority (CA), which uses a self-signed root certificate.

All of the example I can find involve using the keytool command to make
the CA certificate generally trusted by the system. I would much prefer
to simply embed the CA certificate in the application (as a String?) and
somehow create an SSL connection which trusts only this CA certificate.

Can someone provide some pointers on how to do this?

When you sign an app, a copy of the public part of it goes with the
app.

To make the certificate trusted there are two approaches.

1. upload the cert to you website, and have the users click on it to
install it. To experiment see
http://mindprod.com/jgloss/contact/contact.html

That gets your phony cert on equal footing to one you buy from Thawte.
It does not automatically OK it. To do that, you need a policy file
change.


2. When the user oks the self-signed cert, there will be a box to say
words to the effect "always trust this cert in future."
--
Roedy Green Canadian Mind Products
http://mindprod.com

If everyone lived the way people do in Vancouver, we would need three more entire planets to support us.
~ Guy Dauncey

 

[sharonbn]

thanks Ian, like you, I searched and searched the net for pointers to a problem exactly like you had. your post was a great help to me!