SSL and java

credits: ph0t0 (from flickr)

credits: ph0t0 (from flickr)

Sooner or later it happens that you have to access an https via Java. Accessing a generic http (non ssl) site is quite easy using the URL and URLConnection objects.

When you try to access a site through SSL the main problem is that most sites does not have a registration in the java’s Certificate Autorithy (CA), causing the framework to refuse connection to that site. So the main solution is to register the certificate of that site in the java’s CA.

So, the things to do are:

  1. download the site certificate
  2. register it in the java’s CA
  3. accessing the site

Downloading the certificate

In order to download the certificate we are gonna use Firefox. With firefox navigate to the site and if required accept the certificate. Double click on the icon of the certificate (1), in the screen that appear choose view certificate (2), on details tab (3) use the export button (4) and save it wherever you want (5).


Register the certificate

Once downloaded the .cer file (X 509 Certificate DER), you can import it into the CA using the a command line program deployed with the j2se installation: keytool.

Java’s CA and keytool are available in the $JAVA_HOME/lib/security/ and an example of using the keytool (under windows) is the following

C:\Program Files\Java\jre6\lib\security>keytool -import -trustcacerts -alias fonsai -keystore cacerts -file fonsai.cer

where fonsai.cer the file name of the certificate just downloaded.

Maybe if you are using eclipse, you will have to restart the workbench in order to make the registration visible to the jvm.

The main counterpart of using this approach is that you have to register the certificate for each jvm running the program and since certificate can expire you should have to do this operation more than one time. I advise to automate the registration operation with a shell script to be distributed among with the program.

Accessing the site

Once registered the site’s certificate, you can access it as usual using the URL and URLConnection objects. It should be enough to tell (via an SSL provider. Here is a PDF with the code.