2

I have a java application that runs on client machines that receives ajax requests from web applications. Some of these web applications that would like to use the service are served only under https.

I have the java app now accepting and handling SSL requests just fine, but I must first navigate to the server in a browser and accept the cert.

What is the best method of having a 'real cert' installed as part of this java app that listens on https://localhost:my_port?

On windows, it seems I can have an installer add a self signed cert to the machines accepted list. I had also thought about getting a verified cert for thisApp.myDomain.com and then changing host files to point that address to 127.0.0.1, but changing host files seems malicious and I worry about that being picked up by anti-virus.

The 'main' application is a web based system. Some users of this web based system would like to be able to print to special printers on designated computers. The java app is to be installed on those computers, the web application then sends ajax requests to the java app, which interacts with the printers. End users need to be able to install this java service with an easy, one-click type of installer. The web app is run from a browser on the machines doing the printing, hence localhost.

As stated earlier, the web apps need to connect to the web server (currently residing with amazon) via https. The connection to the localhost print server does not need to be https for any reason other than Chrome complains about insecure content, and chrome is currently the most widely used browser by our users.

Any thoughts or suggestions?

Lee Quarella
  • 4,662
  • 5
  • 43
  • 68
  • possible duplicate of [Third-Party Signed SSL Certificate for localhost/127.0.0.1?](http://stackoverflow.com/questions/6793174/third-party-signed-ssl-certificate-for-localhost-127-0-0-1) – Stephen C May 29 '12 at 12:41
  • Changing the hosts file in development for testing purposes is common practice and there is nothing to worry about that – henryabra May 29 '12 at 12:46
  • How about changing hosts file in production? – Lee Quarella May 29 '12 at 12:50
  • The 'main' application is a web based system. Some users of this web based system would like to be able to print to special printers on designated computers. The java app is to be installed on those computers, the web application then sends ajax requests to the java app, which interacts with the printers. End users need to be able to install this java service with an easy, one-click type of installer. – Lee Quarella May 29 '12 at 12:57
  • The web app is run directly on the machines doing the printing, hence localhost. – Lee Quarella May 29 '12 at 13:04
  • Can you add all this data to the question? Furthermore, each computer that needs printing should have the webapp installed? If its localhost web app, why does it need to be secure http? – henryabra May 29 '12 at 13:09
  • Question updated. The webapp is not served from localhost, but it is being accessed from the same machine that the printers are installed on. – Lee Quarella May 29 '12 at 13:17
  • How did you solved this use case? Just solving the same issue, and as of 11/1/2015 there will be no certs issued for IPs/hostnames, so it will be not valid anymore, and you cant do the cross-site ajax call without adding CA to Trusted ones. – Mejmo Dec 03 '14 at 14:09
  • I had a similar problem while using `new URL(...).open()` requests. The "real" certificate existed but didn't match _localhost_. To make it accept the certificate, I used the following code on the `HttpsURLConnection` instance: `connection.setHostnameVerifier((hostname, sslSession) -> Objects.equals(hostname, "localhost"))`. – superbob Sep 21 '16 at 14:45

2 Answers2

2

If by "real" cert, you mean one that signed by a trusted CA, then I think that the answer is that you probably can't. I don't think a trusted CA will issue one for you.

The answer I linked to above suggests that you set up your own CA by getting a CA cert. The other alternatives are a self-signed cert for 127.0.0.1, or tweaking your DNS resolution (e.g. via the client machines' "hosts" files) so that some name with a valid cert resolves to a loopback address on your client machines.

BTW - turning off certificate verification is not the way to go. It is better to add a self-signed certificate to the trusted cert list of (for instance) the user's browser.

If I was in your situation, I think I'd change whatever it is that requires HTTPS for requests on 127.0.0.1. Either don't require HTTPS for the requests, or change the IP address to the client's own IP address.

Stephen C
  • 698,415
  • 94
  • 811
  • 1,216
  • 1
    Is it ok to progamatically change a users hosts file during installation? Or am I right in assuming this will send up red flags? – Lee Quarella May 29 '12 at 13:03
  • @LeeQuarella - I don't know. I guess it depends on the virus checker. Have you tried it? – Stephen C May 29 '12 at 13:05
  • @LeeQuarella I would have a fit if a program tried to do that during installation. – Deestan May 29 '12 at 13:14
  • @Deestan, that's kinda what I thought. Is the reason I have not tried yet, just had the feeling users may get upset. My user base is not the most savvy, but I don't want to insult them :-P. – Lee Quarella May 29 '12 at 13:19
-1

I try to install self signet certificate on client machine - but fails. Don't remember what was the issue. So I turn off verification for certificate in client code.

You can read about it here.

alexey28
  • 5,170
  • 1
  • 20
  • 25
  • It's the browser complaining about the cert when connecting to my java app. I don't think turning off verification in the java app will have any impact on the browser, will it? – Lee Quarella May 29 '12 at 12:54
  • If it is browser - yes. This does not help. It is only about java client. With browser only possible way - buy trusted certificate and install in on your server. – alexey28 May 29 '12 at 14:03
  • As the question says, and where the dilema comes about, the server is localhost. localhost is not a qualified domain name and thus will not be given a trusted cert. – Lee Quarella May 29 '12 at 19:05