9

I'm trying to send push notifications to Android devices through the Google Cloud Message servers.

The URL we use to do that is:

https://android.googleapis.com/gcm/send

In our entreprise applications, we do not use the default CA authorities and we add manually each entity we trust for security reason, in a truststore file loaded by SSLContext properties. I'd like to add GCM certificate to our truststore.

I don't know how to get the certificate from that URL. It seems the Chrome/Firefox export way is not working since the page redirects to another non-SSL page.

Someone has a solution?

Sebastien Lorber
  • 89,644
  • 67
  • 288
  • 419

3 Answers3

14

I've been able to save the certificates through the following Java code:

public void testConnectionTo(String aURL) throws Exception {
        URL destinationURL = new URL(aURL);
        HttpsURLConnection conn = (HttpsURLConnection) destinationURL.openConnection();
        conn.connect();
        Certificate[] certs = conn.getServerCertificates();
        System.out.println("nb = " + certs.length);
        int i = 1;
        for (Certificate cert : certs) {
            System.out.println("");
            System.out.println("");
            System.out.println("");
            System.out.println("################################################################");
            System.out.println("");
            System.out.println("");
            System.out.println("");
            System.out.println("Certificate is: " + cert);
            if(cert instanceof X509Certificate) {
                try {
                    ( (X509Certificate) cert).checkValidity();
                    System.out.println("Certificate is active for current date");
                    FileOutputStream os = new FileOutputStream("/home/sebastien/Bureau/myCert"+i);
                    i++;
                    os.write(cert.getEncoded());
                } catch(CertificateExpiredException cee) {
                    System.out.println("Certificate is expired");
                }
            } else {
                System.err.println("Unknown certificate type: " + cert);
            }
        }
    }

And import them to the truststore:

keytool -import -alias GoogleInternetAuthority -file myCert1 -keystore truststore
Sebastien Lorber
  • 89,644
  • 67
  • 288
  • 419
  • 12
    The above code holds only if you already have installed the specific certificate in your jvm truststore. On any other case where the specific certificate is not known to your jvm truststore, conn.connect() throws a javax.net.ssl.SSLHandshakeException – jkonst Jun 22 '18 at 15:06
  • Flush and close your outputstream. – ScrappyDev Jun 10 '21 at 18:58
11

If you have openssl you can use

openssl s_client -connect android.googleapis.com:443

s_client is a "generic SSL/TLS client which connects to a remote host using SSL/TLS", and among other things it prints out the server certificate it received from the remote server. It isn't an HTTP client, so it doesn't know to follow the 301 redirect, it'll just give you the certificate of the initial server you connected to.

Ian Roberts
  • 120,891
  • 16
  • 170
  • 183
4

Use Portecle. You can open the target key store, then use Examine > Examine SSL/TLS Connection, enter android.googleapis.com and 443 and you're done!

Jason Washo
  • 536
  • 6
  • 22
David Grant
  • 13,929
  • 3
  • 57
  • 63