Trust CA cert without modifying keystore

Discussion in 'Java' started by Ian Pilcher, Jun 22, 2009.

  1. Ian Pilcher

    Ian Pilcher Guest

    I am working on a program which needs to make an SSL connection to an
    internal server. The server's certificate is signed by our internal
    certificate authority (CA), which uses a self-signed root certificate.

    All of the example I can find involve using the keytool command to make
    the CA certificate generally trusted by the system. I would much prefer
    to simply embed the CA certificate in the application (as a String?) and
    somehow create an SSL connection which trusts only this CA certificate.

    Can someone provide some pointers on how to do this?

    Thanks!

    --
    ========================================================================
    Ian Pilcher
    ========================================================================
     
    Ian Pilcher, Jun 22, 2009
    #1
    1. Advertising

  2. Ian Pilcher

    Ian Pilcher Guest

    Ian Pilcher wrote:
    > All of the example I can find involve using the keytool command to make
    > the CA certificate generally trusted by the system. I would much prefer
    > to simply embed the CA certificate in the application (as a String?) and
    > somehow create an SSL connection which trusts only this CA certificate.


    OK, I figured it out. Here it is for posterity:

    import java.security.cert.X509Certificate;
    import java.security.cert.CertificateFactory;
    import java.security.KeyStore;
    import java.io.InputStream;
    import java.io.FileImportStream;
    import javax.net.ssl.TrustManagerFactory;
    import javax.net.ssl.SSLContext;
    import javax.net.ssl.SSLSocketFactory;
    import javax.net.ssl.SSLSocket;

    class MySSL
    {
    private static final String host = "my.host.name";
    private static final int port = 443;

    public static void main(String[] args) throws Exception
    {
    CertificateFactory cf = CertificateFactory.getInstance("X.509");
    InputStream in = new FileInputStream("/my/CA/certificate.pem");
    X509Certificate cert =
    (X509Certificate)cf.generateCertificate(in);
    in.close();
    KeyStore ks = KeyStore.getInstance("jks");
    ks.load(null, null);
    ks.setCertificateEntry("My Certificate Authority", cert);
    TrustManagerFactory tmf =
    TrustManagerFactory.getInstance("PKIX");
    tmf.init(ks);
    SSLContext context = SSLContext.getInstance("SSL");
    context.init(null, tmf.getTrustManagers(), null);
    SSLSocketFactory sf = context.getSocketFactory();
    SSLSocket = (SSLSocket)sf.createSocket(host, port);
    socket.startHandshake();
    }
    }

    --
    ========================================================================
    Ian Pilcher
    ========================================================================
     
    Ian Pilcher, Jun 22, 2009
    #2
    1. Advertising

  3. Ian Pilcher

    Roedy Green Guest

    On Mon, 22 Jun 2009 12:08:47 -0500, Ian Pilcher <>
    wrote, quoted or indirectly quoted someone who said :

    >I am working on a program which needs to make an SSL connection to an
    >internal server. The server's certificate is signed by our internal
    >certificate authority (CA), which uses a self-signed root certificate.
    >
    >All of the example I can find involve using the keytool command to make
    >the CA certificate generally trusted by the system. I would much prefer
    >to simply embed the CA certificate in the application (as a String?) and
    >somehow create an SSL connection which trusts only this CA certificate.
    >
    >Can someone provide some pointers on how to do this?


    When you sign an app, a copy of the public part of it goes with the
    app.

    To make the certificate trusted there are two approaches.

    1. upload the cert to you website, and have the users click on it to
    install it. To experiment see
    http://mindprod.com/jgloss/contact/contact.html

    That gets your phony cert on equal footing to one you buy from Thawte.
    It does not automatically OK it. To do that, you need a policy file
    change.


    2. When the user oks the self-signed cert, there will be a box to say
    words to the effect "always trust this cert in future."
    --
    Roedy Green Canadian Mind Products
    http://mindprod.com

    If everyone lived the way people do in Vancouver, we would need three more entire planets to support us.
    ~ Guy Dauncey
     
    Roedy Green, Jun 22, 2009
    #3
  4. Ian Pilcher

    sharonbn

    Joined:
    Oct 21, 2012
    Messages:
    1
    thanks Ian, like you, I searched and searched the net for pointers to a problem exactly like you had. your post was a great help to me!
     
    sharonbn, Oct 21, 2012
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. John Salvo
    Replies:
    3
    Views:
    4,876
    John Salvo
    Sep 9, 2003
  2. Pedro Martins
    Replies:
    2
    Views:
    2,227
    Roedy Green
    Feb 24, 2006
  3. Replies:
    1
    Views:
    1,057
  4. David Chan via .NET 247
    Replies:
    1
    Views:
    368
    Dominick Baier [DevelopMentor]
    Jun 2, 2005
  5. Linda
    Replies:
    1
    Views:
    568
    Dominick Baier
    Aug 31, 2006
Loading...

Share This Page