Friday, October 8, 2010

How to add a certificate?

Do you recieve following error:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

That's perhaps the certifcate you requesting is not valid or self signed. If you really trust to the certificate (perhaps it is your development environment) and want to add it to your server, here is how:

Assume that you are trying to reach https://abc.def.com/someContent/

1) Execute this on your console:
openssl s_client -connect abc.def.com:443

(windows users can use FireFox to see the certificate and export it instead of step1 and step2)

2)Copy the certificate information and save it to a file like abc.pem. The part your are going to copy will look like this:

-----BEGIN CERTIFICATE-----
MssJjDC8sjshHN7hhshsGGGSGSVfstsg9w0BAQUFADCBizELMAkGA1UEBhMCQkUx
EDAOBgNVBAgTB0JlbGdpdW0xETAPBgNVBAcTCFphdmVudGVtMSQwIgYDVQQKExtT
b2334GUtU29sdXRpb25zIEV1cm9wZSBCLlYxDDAKBgNVBAsTA0lTRTEjMCEGA1UE
AxMaZXNwLnN0Zy5zcC5zb255LWV1cm9wZS5jb20wHhcNMTAwNTE5MDgxNjU3WhcN
MjAwNTE2MDgxNjU3WjCBizELMAkGA1UEBhMCQkUxEDAOBgNVBAgTB0JlbGdpdW0x
ETAPBgNVBAcTCFphdmVudGVtMSQwIgYDVQQKExtTb255IGUtU29sdXRpb25zIEV1
cm9wZSBCLlYxDDAKBgNVBAsTA0lTRTEjMCEGA1UEAxMaZXNwLnN0Zy5zcC5zb255
LWV1cm9wZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMt0TExB8o6g
OkikMgabQT/wI6N21BXbmP5JTRcs7tSknwxnneCl0Nc8LoEQ2pib5BLpyzQLg5Gg
kJdnskMQBJ35SMo8OiThRmuwOYb1rk/dFP8j924HUTbFaT6b8rJALYG2ljY62fj0
b+BTlzbZb+cl5sRBSIgX+Hzx9NTD64EZAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEA
bkTufSkz8BO1O9q37lGkwM8Vv/dAJ8bMeYUkLNW3n34frJ72Y26Vme9iVPl7kvdK
dYdkZ8iIQIiNQUasOfwhyOPcakvz2mx60vxFz4bykhzYAwAvM80d+2XC9xqWYf3A
Jgdhdg6hhdhlfeBSh9ih3JRNlYDub+IDbrgYPsDB2uA=
-----END CERTIFICATE-----

(You should include BEGIN CERTIFICATE and END CERTIFICATE lines too)

(Windows users, can export the file with firefox; just goto website and click on certificate at bottom right; choose details; and then export)

3) Add it to trusted certs:
sudo /opt/java/bin/keytool -import -alias abc.def.com -keystore $JAVA_HOME/jre/lib/security/cacerts -file abc.pem

(if you do not have an idea what is your keystore password, default is 'changeit')

(windows users should execute just keytool, they should not type (sudo /opt...)

When asked, reply "yes".

Please note that if you are developer; possibly you will want to update cacerts in
JDK_HOME/jre/lib/security/cacerts and JAVA_HOME/lib/security/cacerts