8

We wish to buy a wild-card SSL certificate as we have a lot of sub-domains. However I don't know if Java trusts wild-card certificates. As people connect into our API via SSL it will not be sufficient for us to force all third parties we communicate with to add our SSL certificate into their local truststore.

At the moment I'm facing a dilemma to buy a wildcard certificate from a java trusted issuer or buy multiple certs one per sub-domain.

Do other languages also have a truststore? If so does anyone know if wildcard certificates work with them also.

Wes
  • 6,697
  • 6
  • 34
  • 59
  • its a nice piece of information and it was useful to me. – Allen Feb 17 '12 at 03:36
  • 1
    Wildcard ssl isn't the same thing at all as trusting all certificates. Wildcard SSL is *.domain.com. Also this question is 4 years older than the other question. Close this if you want but its not the same thing at all. – Wes Oct 24 '14 at 07:56

2 Answers2

7

The default implementation in Sun's JSSE doesn't support wildcard. You need to write your own X509TrustManager to handle wildcard.

However, Java supports SAN (Subject Alternative Names) since Java 5. If you have less than 20 names, you can get one certificate for all of them. It may be cheaper than a wildcard cert.

ZZ Coder
  • 74,484
  • 29
  • 137
  • 169
  • I was thinking more of external parties connecting to our API rather than our Java code connecting to a wildcard secured subdomain. I'm going to add that into the question to ensure that its clear. – Wes Jul 05 '10 at 08:25
  • Java definatly supports wildcard certs over in 2017 and even did in java 6 see other answer. – Wes Sep 29 '16 at 12:07
3

I've attempted this with java 6.

It appears to work correctly. I've succesfully read headers and body content from a file that had a wildcard SSL certificate.

package com.example.test;

import java.io.DataInputStream;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
import java.net.URLConnection;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Map.Entry;


public class SSLTEST {
    public static void main(String[] args) {
        try {
            URL url = new URL("https://test.example.com/robots.txt");
            URLConnection connection = null;
            try {
                connection = url.openConnection();
            } catch (IOException e) {
                e.printStackTrace();
            }
            Map<String, List<String>> fields = connection.getHeaderFields();
            Iterator<Entry<String, List<String>>> headerIterator = fields.entrySet().iterator();
            System.out.println("HEADERS");
            System.out.println("-------------------------------");
            while (headerIterator.hasNext()){
                Entry<String, List<String>> header = headerIterator.next();
                System.out.println(header.getKey()+" :");
                Iterator<String> valueIterator = header.getValue().iterator();
                while (valueIterator.hasNext()){
                    System.out.println("\t"+valueIterator.next());
                }

            }

            String inputLine;
            DataInputStream input = new DataInputStream(connection.getInputStream());
            System.out.println("BODY CONTENT");
            System.out.println("-------------------------------");
            while ((inputLine = input.readLine()) != null) {
                System.out.println(inputLine);
            }


        } catch (MalformedURLException e) {
            System.err.println(e);
        } catch (IOException e) {
            e.printStackTrace();
        }
    }
}

EDIT I've just recieved confirmation that this works on java 1.5

Wes
  • 6,697
  • 6
  • 34
  • 59
  • But is this code supposed to work with a wildcard SSL cert which was the original question? When I try this code on a server with a wildcard cert I get an SSLHandshakeException because the validation path fails. – Petri Pellinen Feb 21 '11 at 08:10
  • 1
    @Petri Pellinen It worked for a valid Domain for me with verisign certificate. You may have less luck with a self signed certificate. Also modern certificates need the intermediate certificate when using an older version of java 6. (According to my tests) – Wes Feb 21 '11 at 13:07
  • 1
    "...need the intermediate certificate when using an older version of java 6..." - That's always the case in PKIX. Its a well known problem in PKI called the "which directory" problem. See OWASP's [Transport Layer Protection Cheat Sheet](http://owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Rule_-_Always_Provide_All_Needed_Certificates). – jww Jun 26 '14 at 21:00
  • I can confirm with JDK 11.0.2+9 that a *.domain.local cert works just fine. – duct_tape_coder Jun 07 '22 at 19:26