Debugging Java SSL Connection Issues
22. April 2013

Testing SSL Connection

  1. download SSLPoke.class
  2. Start SSLPoke by invocing:
    java SSLPoke <host> <port>
  3. have a look at the error messages


Keystore Problems

You can test a connection using a self-defined keystore to see if there is anything wrong with it. If this is successfull, the error should be on jvm-configuration. There might be a wrong keystore configured. If you need your custom keystore, add the parameter to your jvm startup parameters.

java SSLPoke localhost 443

Trustchain Problems

To see what’s going on, you can have a look at the complete certificate chain given by the webserver:

openssl s_client -showcerts -connect <host>:<port>

A simple way to get certificates into a keystore

Get Keychain out of an url

The simplest way to get the whole certchain given by the webserver, is to use openssls connect method and write the output to a file.

openssl s_client -showcerts -connect <url>:443 >/tmp/cert.pem

Convert PEM to DER

Keytool likes to have a der encoded certificate, thus we have to convert it.

openssl x509 -outform der -in /tmp/cert.pem -out /tmp/cert.der

Import DER into Keystore

After converting the certificates, you only have to import them into the default java keystore using the default password “changeit”.

/usr/lib/jvm/java/bin/keytool -import -alias "certalias" -file /tmp/cert.der -keystore /usr/lib/jvm/java/jre/lib/security/cacerts -storepass changeit -noprompt



Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.