Testing SSL Connection
- download SSLPoke.class
- Start SSLPoke by invocing:
java SSLPoke <host> <port>
- have a look at the error messages
Keystore Problems
You can test a connection using a self-defined keystore to see if there is anything wrong with it. If this is successfull, the error should be on jvm-configuration. There might be a wrong keystore configured. If you need your custom keystore, add the parameter to your jvm startup parameters.
java -Djavax.net.ssl.trustStore=/my/custom/keystore SSLPoke localhost 443
Trustchain Problems
To see what’s going on, you can have a look at the complete certificate chain given by the webserver:
openssl s_client -showcerts -connect <host>:<port>
A simple way to get certificates into a keystore
Get Keychain out of an url
The simplest way to get the whole certchain given by the webserver, is to use openssls connect method and write the output to a file.
openssl s_client -showcerts -connect <url>:443 >/tmp/cert.pem
Convert PEM to DER
Keytool likes to have a der encoded certificate, thus we have to convert it.
openssl x509 -outform der -in /tmp/cert.pem -out /tmp/cert.der
Import DER into Keystore
After converting the certificates, you only have to import them into the default java keystore using the default password “changeit”.
/usr/lib/jvm/java/bin/keytool -import -alias "certalias" -file /tmp/cert.der -keystore /usr/lib/jvm/java/jre/lib/security/cacerts -storepass changeit -noprompt