53

I have a server with a self signed certificate, but also requires client side cert authentication. I am having a rough time trying to get the raw CA server cert so I can import it into a keystore. Anyone have some suggestions on how to easily do that? Thanks.

wuntee
  • 11,330
  • 26
  • 75
  • 105

5 Answers5

95

Was looking at how to trust a certificate while using jenkins cli, and found https://issues.jenkins-ci.org/browse/JENKINS-12629 which has some recipe for that.

This will give you the certificate:

openssl s_client -connect ${HOST}:${PORT} </dev/null

if you are interested only in the certificate part, cut it out by piping it to:

| sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'

and redirect to a file:

> ${HOST}.cert

Then import it using keytool:

keytool -import -noprompt -trustcacerts -alias ${HOST} -file ${HOST}.cert \
    -keystore ${KEYSTOREFILE} -storepass ${KEYSTOREPASS}

In one go:

HOST=myhost.example.com
PORT=443
KEYSTOREFILE=dest_keystore
KEYSTOREPASS=changeme

# get the SSL certificate
openssl s_client -connect ${HOST}:${PORT} </dev/null \
    | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ${HOST}.cert

# create a keystore and import certificate
keytool -import -noprompt -trustcacerts \
    -alias ${HOST} -file ${HOST}.cert \
    -keystore ${KEYSTOREFILE} -storepass ${KEYSTOREPASS}

# verify we've got it.
keytool -list -v -keystore ${KEYSTOREFILE} -storepass ${KEYSTOREPASS} -alias ${HOST}
alphamikevictor
  • 515
  • 6
  • 15
dnozay
  • 22,109
  • 4
  • 75
  • 93
  • Can I put HOST=*.example.com ? – Sequoya Dec 29 '16 at 04:05
  • 3
    For me, KEYSTOREPASS=changeit not 'changeme' – Douglas May 28 '18 at 15:58
  • 2
    Beginning with j7 in 2012, keytool (and CertificateFactory generally) ignores extraneous text in a PEM file for a cert, so you don't need the sed. Also with `-noprompt` _and_ `-storepass` you can pipe with no temp file: `openssl s_client -connect host:port | keytool -import -noprompt -alias nm -keystore file -storepass pw` – dave_thompson_085 Dec 04 '18 at 17:19
23

There were a few ways I found to do this:

    java InstallCert [host]:[port] 
    keytool -exportcert -keystore jssecacerts -storepass changeit -file output.cert
    keytool -importcert -keystore [DESTINATION_KEYSTORE] -file output.cert
Gili
  • 76,473
  • 85
  • 341
  • 624
wuntee
  • 11,330
  • 26
  • 75
  • 105
  • I've used Andreas Sterbenz's InstallCert class before too, its useful if you need a certificate for a host which doesn't accept HTTP GET requests – Jon Freedman Sep 10 '10 at 15:53
  • thanks wuntee, it helped me alot, because I got stock here: http://stackoverflow.com/questions/9210514/unable-to-find-valid-certification-path-to-requested-target-error-even-after-c :D ty – Tobias Sarnow Jul 25 '13 at 09:09
20

I use openssl, but if you prefer not to, or are on a system (particularly Windows) that doesn't have it, since java 7 in 2011 keytool can do the whole job:

 keytool -printcert -sslserver host[:port] -rfc >tempfile
 keytool -import [-noprompt] -alias nm -keystore file [-storepass pw] [-storetype ty] <tempfile 
 # or with noprompt and storepass (so nothing on stdin besides the cert) piping works:
 keytool -printcert -sslserver host[:port] -rfc | keytool -import -noprompt -alias nm -keystore file -storepass pw [-storetype ty]

Conversely, for java 9 up always, and for earlier versions in many cases, Java can use a PKCS12 file for a keystore instead of the traditional JKS file, and OpenSSL can create a PKCS12 without any assistance from keytool:

openssl s_client -connect host:port </dev/null | openssl pkcs12 -export -nokeys [-name nm] [-passout option] -out p12file
# <NUL on Windows
# default is to prompt for password, but -passout supports several options 
# including actual value, envvar, or file; see the openssl(1ssl) man page
dave_thompson_085
  • 24,048
  • 4
  • 34
  • 52
4

You can export a certificate using Firefox, this site has instructions. Then you use keytool to add the certificate.

Jon Freedman
  • 9,004
  • 4
  • 37
  • 51
4

Just expose dnozay's answer to a function so that we can import multiple certificates at the same time.

Save it to a .sh file then run it.

#!/usr/bin/env sh

KEYSTORE_FILE=/path/to/keystore.jks
KEYSTORE_PASS=changeit


import_cert() {
  local HOST=$1
  local PORT=$2

  if [[ -z $PORT ]]; then
    PORT=443
  fi

  # get the SSL certificate
  openssl s_client -connect ${HOST}:${PORT} </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ${HOST}.cert

  # delete the old alias and then import the new one
  keytool -delete -keystore ${KEYSTORE_FILE} -storepass ${KEYSTORE_PASS} -alias ${HOST} &> /dev/null

  # create a keystore (or update) and import certificate
  keytool -import -noprompt -trustcacerts \
      -alias ${HOST} -file ${HOST}.cert \
      -keystore ${KEYSTORE_FILE} -storepass ${KEYSTORE_PASS}

  # remove temp file
  rm ${HOST}.cert
}

# Change your sites here
import_cert stackoverflow.com 443
import_cert www.google.com # default port 443
import_cert 172.217.194.104 443 # google
Ninh Pham
  • 4,298
  • 35
  • 26