GoogleSearchBox

Custom Search

Wednesday, June 19, 2013

Creating KeyStore file using "InstallCert.java" to configure SSL on Development Env

This post describes how to Generate / Create and Test a KeyStore file using "InstallCert.java" to configure SSL (https) on local Development Environment.

If you landed on this page because of the error "sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provid er.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target", while using SSL configuration on your server for your java application, please follow this post:

I used the  "InstallCert.java" java class,  mentioned at this link to create and add a certificate into javakeystore which I could use in my development environment's tomcat server to achieve SSL.

Assuming you have the "InstallCert.java" file downloaded to your local system and compiled it.
In my case, I have compiled it to a location "D:\MyEclipse8_WS\compAproj\src":

Run the java command, passing the server's  hostname, (in my case, its "localhost", for the development env):
D:\MyEclipse8_WS\compAproj\src> java InstallCert localhost

[You could have passed some think like this also:
D:\MyEclipse8_WS\compAproj\src> java InstallCert www.xyz.com
where "www.xyz.com"  is your test env domain/host name.]

You will get a Result like below:
Loading KeyStore C:\Program Files\Java\jre7\lib\security\cacerts...
Opening connection to localhost:443...
Starting SSL handshake...

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building f
ailed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certificatio
n path to requested target
        at sun.security.ssl.Alerts.getSSLException(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
        at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
        at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
        at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
        at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
        at sun.security.ssl.Handshaker.processLoop(Unknown Source)
        at sun.security.ssl.Handshaker.process_record(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at InstallCert.main(InstallCert.java:100)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provid
er.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

        at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
        at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
        at sun.security.validator.Validator.validate(Unknown Source)
        at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
        at InstallCert$SavingTrustManager.checkServerTrusted(InstallCert.java:195)
        at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(Unknown Source)
        ... 9 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certific
ation path to requested target
        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
        at java.security.cert.CertPathBuilder.build(Unknown Source)
        ... 17 more

Server sent 1 certificate(s):

 1 Subject CN=localhost, OU=DDMS, O=RSI, L=Bangalore, ST=Karnatak, C=IN
   Issuer  CN=localhost, OU=DDMS, O=RSI, L=Bangalore, ST=Karnatak, C=IN
   sha1    6e ee e0 c7 19 5f ee ab 6f e0 bd 60 db 56 fa 7f 9a 82 dc 08
   md5     31 b6 06 9f 77 58 33 3b b8 ad 79 9b 44 77 a9 b0

Enter certificate to add to trusted keystore or 'q' to quit: [1]
1

[
[
  Version: V3
  Subject: CN=localhost, OU=DDMS, O=RSI, L=Bangalore, ST=Karnatak, C=IN
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 1024 bits
  modulus: 92659808969929865129336241341967971654025457738531240931492821310253581021652160736911057
8703736995831932144701336033660310891386958539146005637308769188367103225061070068772345915142571293
8993861368030004277914233863759887059296889665823492198040834084491251919373806193796848922810680430
7637917119048358073
  public exponent: 65537
  Validity: [From: Mon Jun 10 17:00:58 GMT+05:30 2013,
               To: Sun Sep 08 17:00:58 GMT+05:30 2013]
  Issuer: CN=localhost, OU=DDMS, O=RSI, L=Bangalore, ST=Karnatak, C=IN
  SerialNumber: [    51b5b8f2]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 65 4F 4F 86 21 1C CF A6   50 BD B0 29 CE C8 6F F9  eOO.!...P..)..o.
0010: DE C1 99 47 29 21 0F 8F   24 36 43 0C 3B 75 21 D6  ...G)!..$6C.;u!.
0020: 81 D2 15 E0 F3 5E 9F 30   33 EC 0F 65 28 2D 0E F1  .....^.03..e(-..
0030: F0 76 3D A0 C0 D1 18 41   5B FB 1B C5 FB 7B B8 52  .v=....A[......R
0040: 62 CE A7 34 32 06 A2 F7   2E BB 78 55 1A CE B0 50  b..42.....xU...P
0050: A3 2E 3E 32 68 7F EE 6C   83 D4 9E 76 E7 14 B7 C0  ..>2h..l...v....
0060: 91 C6 22 B2 C6 A9 CC 2F   E0 06 3A F1 50 92 15 FC  .."..../..:.P...
0070: C5 F6 1A 12 4E 52 38 31   99 32 E1 66 D2 7D 49 EB  ....NR81.2.f..I.

]

Added certificate to keystore 'jssecacerts' using alias 'localhost-1'


To List out the keystore to see if our certificate (named as 'localhost-1' along with other certificates imported from %JAVA_HOME%\jre\lib\security\cacerts)  is in there:
D:\MyEclipse8_WS\compAproj\src>keytool -list -keystore jssecacerts

So, we have the keystore generated for us.
Now we have two ways to use the generated keystore file:
1st way:
Configure the keystore to be used as the default keystore using some environment variable settings as per the  java documentation.

Or, 2nd way:
Do below steps:
1.   copy your "cacerts" file (located at %JAVA_HOME%\jre\lib\security\ ) to some safe backup location.
2. rename the "jssecacerts" file (generated above) as "cacerts"
3. copy the newly renamed file "cacerts" into location %JAVA_HOME%\jre\lib\security\
     And if asked to overwrite, say Yes.

Now,
For the 2nd time, run the Java command, to test/verify that, your SSL is configured correctly to be used with your java web applications :

D:\MyEclipse8_WS\compAproj\src> java InstallCert localhost

This time there should be no errors. That means Java application can do a proper SSL handshake with the server.
Congrats !!


You can follow these posts as references, which might be helpful to you : http://nodsw.com/blog/leeland/2006/12/06-no-more-unable-find-valid-certification-path-requested-target
Or
http://www.java-samples.com/showtutorial.php?tutorialid=210

http://www.novell.com/communities/node/13621/cacerts-dummies