-1

When using the below code the root CA certificate will be not be listed

URL destinationURL = new URL("https://google.com");    
HttpsURLConnection conn = (HttpsURLConnection) destinationURL.openConnection();
        conn.connect();    
Certificate[] certs = conn.getServerCertificates();

How to get the root CA (GeoTrust Global CA here). Should I be using the CertPathBuilder?

enter image description here

This is the sample code I found for building the certification path

// Create the selector that specifies the starting certificate
X509CertSelector selector = new X509CertSelector();
selector.setCertificate(cert);

// Create the trust anchors (set of root CA certificates)
Set<TrustAnchor> trustAnchors = new HashSet<TrustAnchor>();
for (X509Certificate trustedRootCert : trustedRootCerts) {
     trustAnchors.add(new TrustAnchor(trustedRootCert, null));
}

// Configure the PKIX certificate builder algorithm parameters
PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(
            trustAnchors, selector);

// Disable CRL checks (this is done manually as additional step)
pkixParams.setRevocationEnabled(false);

// Specify a list of intermediate certificates
CertStore intermediateCertStore = CertStore.getInstance("Collection",
            new CollectionCertStoreParameters(intermediateCerts));
pkixParams.addCertStore(intermediateCertStore);

// Build and verify the certification chain
CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
PKIXCertPathBuilderResult result = (PKIXCertPathBuilderResult) builder
            .build(pkixParams);

But how to get the trustedRootCerts and intermediateCerts? Or is there a completely different way?

Edit

This question answers how to get trusted root CAs and I suppose intermediateCerts are the conn.getServerCertificates();. What certificate should be set in the selector selector.setCertificate(cert);?

Krishnaraj
  • 2,360
  • 1
  • 32
  • 55
  • What happens when you try the code? What did you get? What does not work? What else have you tried? – Jim Garrison Jan 01 '18 at 05:08
  • @JimGarrison 1. I haven't run the code because I don't know how to get the ```trustedRootCerts``` and ```intermediateCerts```. 2. The duplicate question does indeed tell how to get trusted root certs but it does not entirely answer this one. 3. I am not even sure if the ```CertPathBuilder``` is the only way to get the root CA of a ssl certificate, I was wondering if there were other simple ways. – Krishnaraj Jan 01 '18 at 06:34
  • You say 'the' root cert as if there were only one. Google IA2's issuer GeoTrust has its own root but also bridges to an older Equifax root which is nearly but not yet obsolete and is hinted by the actual Google servers -- but that's only a hint which a relier can ignore. Both chains and both roots are valid for now. Which one do you call 'the' root? – dave_thompson_085 Jan 01 '18 at 07:31
  • By 'root' I meant the trusted CA certificate that is installed in the OS (the one that's shown on top when you check 'view certificate' in a browser.). I had no idea that there could be more :) – Krishnaraj Jan 01 '18 at 07:58

2 Answers2

0

The GeoTrust Global CA certificate should already be in your cacerts file for your Java installation, unless it's a new one and you're using an old Java version.

Your screenshot looks like maybe a Web Browser showing the certificate path, and you can save the certificate from there, if you trust it.

Note that Web Servers are not supposed to send the root certificate, so the server is doing the right thing.

Andreas
  • 154,647
  • 11
  • 152
  • 247
  • Or if he's using openjdk in which case it usually (at least IME) uses the _platform_ truststore rather than the Java-specific/Sun-Oracle one. – dave_thompson_085 Jan 01 '18 at 07:35
-1
Certificate[] certs = conn.getServerCertificates();

The order of this array is defined. The server certificate that you trust is now at certs[certs.length-1. Note that it isn't necessarily the root certificate. If you want that, you may have to use the CertPathBuilder.

user207421
  • 305,947
  • 44
  • 307
  • 483