0

Is it possible to send a HTTPS POST request to a server that you only have the public key to (and not the whole certificate - obviously not talking about the private key here)?

Here is my setup. Both Server and client are developed and controlled by me.

  • HTTPS Server
    • has untrusted root certificate for https (from ZeroSSL, 90 days expiration)
  • Java Client (on github - open source)
    • has to send a file over an https connection
    • the app is downloaded by random people with varying technical knowledge (manual file imports for java key storage - as I've seen them in many stackoverfow posts - are not an option)
    • the client app runns more than 90 days (hardcoding certificates is not an option, but the server's public key should stay the same after a renewal, which would make hardcoding this one in possible)
    • I want this to be as secure as possible (trusting all certificates is also not an option)

Now i've seen one person talk about "pinning the server's public key" in a comment. Does anyone know more about how to do that? It sounds exactly like the thing I'm looking for.

UPDATE 1: This site https://whatsmychaincert.com/ fixed at least a problem I had with my certificate not being installed properly, where firefox was fine with it, but ZeroSSL told me it wasn't properly installed. What that site did was to create a chained.crt file that basically consists out of the content from certificate.crt and the ca_bundle.crt combined (copypasted one and then the other file content with a line break in between). This file i then put instead of the certificate file in the node-red settings.js.

/** Option 1: static object */
https: {
    key: require("fs").readFileSync('private.key'),
    cert: require("fs").readFileSync('chained.crt')
},

It made things better but let's see if it also fixed my main problem...

doej1367
  • 311
  • 2
  • 12
  • 1
    'server's private key' - I never even mentioned anything else than certificates and public keys... 'Certificate from ZeroSSL is not self-signed' - then what is the name for zertificates that make 'SSLHandshakeException: ValidatorException: SunCertPathBuilderException' problems and require special care, because they don't use the big providers and don't cost a ton of money to maintain? 'Your link is about certificate pinning' - the link might be but I'm not refering directly to the link but to the comments on that post the link leads to. – doej1367 Mar 09 '22 at 00:16
  • 1
    The name for that is an untrusted root certificate. Self-signing is a special case of that. What you have to do is import the server certificate or one of its roots into your truststore. – user207421 Mar 09 '22 at 00:31
  • 'server certificate or one of its roots' - which one would that be? I've got 'certificate.crt', 'ca_bundle.crt' (and the 'private.key') from ZeroSSL and created 'pubkey.pem' from 'certificate.crt' using openssl in the linux console. 'Import into your truststore' - how would I do that and could It be that I then cut off the the access to the other certs when I use something like [this](https://stackoverflow.com/a/16475301/6307611)? – doej1367 Mar 09 '22 at 00:44
  • Import the bundle. If you do that right you won't cut anything off. – user207421 Mar 09 '22 at 01:09
  • 'If you do that right' - How do I do it right? – doej1367 Mar 09 '22 at 09:15

0 Answers0