1

I need to connect to a URL over HTTPS using Java. I don't have any experience with SSL certificates, and most of the questions here assume some basic knowledge. I was hoping someone here could get me started on the basics.

When I put the URL in my browser, it connects just fine. When I do it using Java:

new URL("https://mysite.com/").openStream()

it throws javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

This question shows how to ignore the whole certificate thing, but that doesn't feel right. I simply want to use the same certificate my browser does.

I've already tried adding the -Djavax.net.ssl.trustStore=cacerts property, which changes the exception to javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty, which I've taken from this question to mean it can't find the trust store called cacerts. I'm not sure what else to specify, though.

Community
  • 1
  • 1
Jorn
  • 20,612
  • 18
  • 79
  • 126
  • It seems that `mysite.com` uses self-signed certificate, or so. Have you imported the certificate that `mysite.com` offers to `cacerts`? – Alexander Tokarev Jan 31 '14 at 10:42
  • I haven't added anything manually. I figure since my browser can find the certificate, Java should be able somehow too, I just have to tell it where to look. – Jorn Jan 31 '14 at 10:44
  • you need to use the `keytool` command that comes with the jvm to import the server certificate (and most probably the root CA that signed it) in your keystore. `cacerts` is the default CAs store shipped with the jvm – guido Jan 31 '14 at 10:44

1 Answers1

1

Many sites use self-signed certificates for ssl. You should add them to your JRE's cacerts file. In such cases I use following steps:

  1. Go to https://mysite.com with your browser
  2. Save its certificate to your local machine
  3. Import it to your cacerts with keytool command. The command line looks like this: keytool -import -alias mysite -file mysite.cer -keystore {path/to/cacerts}

As an alternative, you can use openssl s_client utility to retreive mysite.com certificate.

Alexander Tokarev
  • 2,743
  • 2
  • 20
  • 21
  • Thanks, this worked like a charm! I created a new keystore instead of using cacerts, since I'm not sure what password it wanted, but that's a minor detail. So, if I understand correctly, my browser automatically detects the site has a so called `self-signed certificate` and imports it automatically, but I have to find and import it manually in order for Java to recognize that. – Jorn Jan 31 '14 at 10:59
  • 1
    Default password for JRE's cacerts is `changeit` – Alexander Tokarev Jan 31 '14 at 11:01
  • Yes, browsers can detect that certificate is self-signed, or so. Usually, they show a warning like this: `The site's security certificate is not trusted` in such cases. – Alexander Tokarev Jan 31 '14 at 11:06