how to get and SSL CA into Java server

Question

So this may be a stupid question but I have been scouring the internet all day trying to figure out how to get a trusted SSL certificate into my java server.

Details:

I created a java server that creates an SSLServerSocket accepts connections. I used keytool to create a keystore called domain.key as well as a certificate request (csr). I then contacted a certificate authority (starfield) and gave them my csr, they did their thing and returned to me the certificates (crt). I have 3 of them. one is called domain.com.crt, one is called sf_bundle.crt, and one is called sf_intermediate.crt

After much searching I found that I need to import the certificates into a keystore and that the keystore can be the same one that has my public/private keys or it can be in a seperate file. I chose to put it into a seperate file called domain.trust.

I then modified my server to import the trust store as well as the keystore using:

System.setProperty("javax.net.ssl.keyStore", "domain.key");
System.setProperty("javax.net.ssl.trustStore", "domain.trust");

along the corresponding lines for the keystore password and the truststore password.

The problem is that when i try and connect using any client it always says that the certificate is sell signed.

I have been using http://certlogik.com/ssl-checker/ to test it.

I obviously have missed a step but I cant find out where.

Any help would be greatly appreciated

Just reading this question makes me want to pound my head on the wall. Java keystores are horribly confusing. — le3th4x0rbot, Oct 30 '12 at 22:09

score 0 · Answer 1 · answered Oct 30 '12 at 21:28

The problem is that when i try and connect using any client it always says that the certificate is sell signed.

This indicates that the root CA certificate is being send to the client.
You don't mention how you created this separate keystore you use.
You should be doing something like the following:

keystore.setKeyEntry("alias", privateKey, password, chain);

And chain would have:
chain[0] --> Your server's certificate
chain[1] --> The signer's certificate
....
chain[N] --> Signer up to the root

score 0 · Answer 2 · answered Oct 30 '12 at 21:39

You first need to understand what happens during an SSL Handshake. Maybe then you can narrow down the problem. You can refer to various docs on internet., http://www.pierobon.org/ssl/ch/detail.htm

Your running server must have either have the CA StarField installed in it. Or it should have a trust relationship with the CA StarField.
You rclient certificate must be CSR signed by CA StarField, which I guess you have already done.
Now when you present your certificate to the Server, it checks with the CA's it has.
So, if the Sever has the CA StarField and your certificate is signed by StarField then there is no way you would get the Self Signed error.
You get that only when your certificate is not signed by the CA. Just open your certificate and check it's Issuer details to confirm.

score 0 · Answer 3 · edited May 23 '17 at 10:25

Firstly, you seem to be confused about the difference between keystore and truststore. This answer may be of interest.

Essentially, unless you want to use client-certificate authentication, you have no need to change the trust store, from a server point of view.

After much searching I found that I need to import the certificates into a keystore and that the keystore can be the same one that has my public/private keys or it can be in a seperate file.

To be able to use the certificate you got from the CSR you initially had, you MUST import that certificate back in the keystore with which you generated the CSR, and you MUST import it, along with the whole certificate chain, into the correct alias, where the private key is stored.

This is essentially the same problem as the one in this question, but from the server side here.

Find the alias name that has your private key using keytool -list -keystore store.jks:

Your keystore contains 1 entry

myalias, Feb 15, 2012, PrivateKeyEntry, 
Certificate fingerprint (MD5): xxxxxxxx

The prepare a bundle with your certificate and the chain of CA certificates in the right order (your own certificate first, and then each issuer one by one):

-----BEGIN CERTIFICATE-----
MIICajCCAdOgAwIBAgIBAjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVSzEa
....
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIICkjCCAfugAwIBAgIJAKm5bDEMxZd7MA0GCSqGSIb3DQEBBQUAMDsxCzAJBgNV
....
-----END CERTIFICATE-----

(You can verify the content of each certificate using openssl x509 -text -noout and pasting each ---BEGIN/END--- block, including delimiters into its standard input.)

Then, import that file in a single step:

keytool -importcert -keystore store.jks -alias myalias -file bundle.pem

how to get and SSL CA into Java server

3 Answers3