- Добавление корневого сертификата в Java
- How to import a public SSL certificate into a JVM
- Problem
- Resolution
- Using Portecle
- Command Line Installation
- Alternative TrustStore Locations
- Debugging
- How to import a CA root certificate into the JVM trust store
- Instructions for importing a CA root certificate into the JVM trust store
- Step 1. Obtain the root certificate
- Step 2. Convert the root certificate to DER format
- Step 3. Validate the root certificate content
- Step 4. Import the root certificate into the JVM trust store
- Step 5. Verify that the root certificate has been imported
Добавление корневого сертификата в Java
При подключении к Web-кабинету в браузерах Google Chrome и Firefox появляется предупреждение системы безопасности Java о том, что сертификат запускаемого приложения не является доверенным (рис. 1).
Рисунок 1 – предупреждение безопасности Java
Данные сообщения открываются, если корневой сертификат Московской Биржи не добавлен в Справочник Java, независимо от того, внесен ли он в список доверенных сертификатов ОС Windows, или нет (см. раздел Добавление корневого сертификатов в список доверенных). Для добавления корневого сертификат Московской Биржи moex.cer в Справочник Java, необходимо выполнить следующее:
- открыть Панель управления Windows → Java Control Panel → Security (рис. 2,1);
Рисунок 2 – вкладка Безопасность
Рисунок 3 – окно импортирования сертификата
Рисунок 4 – выбор сертификата Московской биржи Выбранный сертификат отобразится в окне импортирования сертификатов (рис. 5,1);
Рисунок 5 – результат добавления сертификата
Рисунок 6 – вкладка Безопасность
How to import a public SSL certificate into a JVM
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the server and data center platforms .
The content on this page relates to platforms which are not supported. Consequently, Atlassian Support cannot guarantee providing any support for it. Please be aware that this material is provided for your information only and using it is done so at your own risk.
Problem
When connecting two servers via HTTPS, the public SSL certificate from each server must be added to the other server’s JVM truststore.
Resolution
There are 2 ways to import a public SSL certificate into a JVM:
Using Portecle
This is a third-party application and not supported by Atlassian.
If running on a Linux/UNIX server, X11 will need to be forwarded when connecting to the server (so you can use the GUI), as below:
- You may hit this error:
- If so, hit OK, and then accept the certificate as trusted.
Command Line Installation
- Fetch the certificate, replacing google.com with the FQDN of the server your application is attempting to connect to:
openssl s_client -connect google.com:443 -servername google.com < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >public.crt
openssl s_client -connect google.com:443 -servername google.com < NUL | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >public.crt
If you are under a redirection domain page, you must specify always -servername in order to ensure we are loading the correct domain, otherwise, openssl takes the first SSL cert it receives, when it should be the second cert that belongs to your domain.
The command above will only be executed if you have Sed for Windows as well as OpenSSL installed on your environment. If you don’t have Sed or OpenSSL or you don’t want to install it, use the instructions below as an alternative. Issue the following command:
openssl s_client -connect google.com:443 -servername google.com
Save the output to a file called public.crt. Edit the the public.crt file so it contains only what is between the BEGIN CERTIFCATE and END CERTIFICATE lines. This is how your file should look like after you edited it:
-----BEGIN CERTIFICATE----- < Certificate content as fetched by the command line. Don't change this content, only remove what is before and after the BEGIN CERTIFICATE and END CERTIFICATE. That's what your Sed command is doing for you :-) >-----END CERTIFICATE-----
keytool for fetching a certificate does not support Server Name Indication (SNI). If you need to specify a server name to get the correct certificate, please use openssl instead.
$JAVA_HOME/bin/keytool -printcert -sslserver google.com:443 -rfc >> public.crt
%JAVA_HOME%/bin/keytool -printcert -sslserver google.com:443 -rfc >> public.crt
/bin/keytool -importcert -alias -keystore /jre/lib/security/cacerts -file public.crt
/bin/keytool -importcert -alias -keystore /lib/security/cacerts -file public.crt
Then enter the password if prompted (the default is changeit ).
Note: If the cacerts file already has a certificate for the same server name, the import may fail with the following error:
keytool error: java.lang.Exception: Certificate not imported, alias already exist
If this happens, you first need to remove the existing certificate from cacerts before re-trying to import the new certificate.
To remove the existing certificate, you can use the command below:
/bin/keytool -delete -alias -keystore /jre/lib/security/cacerts
/bin/keytool -delete -alias -keystore /lib/security/cacerts
Alternative TrustStore Locations
Java will normally use a system-wide truststore:
- Java 8: $JAVA_HOME/jre/lib/security/cacerts
- Java 11: $JAVA_HOME/lib/security/cacerts
However it is possible to use a different truststore by specifying a parameter, — Djavax.net.ssl.trustStore=/path/to/truststore , where ‘ /path/to/truststore ‘ is the absolute file path of the alternative truststore. Information on how to configure JIRA startup variables can be found here.
However, setting this is not recommended because if Java is told to use a custom truststore (eg. containing a self-signed certificate), then Java will not have access to the root certificates of signing authorities found in $JAVA_HOME/jre/lib/security/cacerts , and accessing most CA-signed SSL sites will fail. It is better to add new certificates (eg. self-signed) to the system-wide truststore (as above).
Debugging
Problems are typically one of two forms:
- The certificate was installed into the incorrect truststore.
- The truststore does not contain the certificate of the SSL service you’re connecting to.
Description | When connecting two servers via HTTPS, the public SSL certificate from each server must be loaded on to the other server. |
---|---|
Product | Jira, Confluence, Bamboo, Bitbucket |
How to import a CA root certificate into the JVM trust store
Web browsers and application runtimes, such as Java, have a special local database of recognised Certificate Authorities (CA). Each time an SSL/TLS connection is made, that database is queried in order to validate a server’s claimed identity (typically represented by its domain name).
If you try to make a secure connection (e.g. HTTPS or LDAPS) and the server doesn’t respond with a certificate issued by a recognised authority, the connection will fail with the following exception:
CertPathBuilderException: unable to find valid certification path to requested target
If your company has its own CA, or, if you want to make SSL/TLS connections to a server in possession of a certificate issued by a CA which you recognise and trust, but is not listed in the default Java trust store, you will need to import the CA’s root certificate.
We recently encountered such a case when a user of the online OpenID Connect client was not able to connect to a web server which has a certificate issued by the StartCom CA. The root certificate of StartCom is recognised by browsers, but for some reason has not been included in the default JVM trust store.
Instructions for importing a CA root certificate into the JVM trust store
Step 1. Obtain the root certificate
For StartCom the root certificate was made available at http://www.startssl.com/certs/ca.pem, in PEM format. Certificates contain public information and CAs always make them available for download.
Step 2. Convert the root certificate to DER format
This can be done with help of the openssl toolkit, where ca.pem is the original certificate filename in PEM format, and ca.der the filename to output, in DER format (which the Java keytool utility can understand). If you were able to obtain the root certificate in DER format, skip this step.
openssl x509 -in ca.pem -inform pem -out ca.der -outform der
Step 3. Validate the root certificate content
Ensure that the Java keytool can parse the certificate and display its content:
keytool -v -printcert -file ca.der
Step 4. Import the root certificate into the JVM trust store
Enter the following command where $JAVA_HOME is a shell environment variable that points to your Java installation, e.g. to /usr/lib/jvm/java-7-oracle ; for -alias pick some unique name for the certificate in the store:
keytool -importcert -alias startssl -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -file ca.der
(the default password for the CA store is changeit )
The keytool will prompt you for confirmation, enter yes to complete the operation.
Step 5. Verify that the root certificate has been imported
To do that list the trust store content and filter for the certificate alias (name) with grep :
keytool -keystore "$JAVA_HOME/jre/lib/security/cacerts" -storepass changeit -list | grep startssl
You will now be able to make secure SSL/TLS connections to servers which have a certificate signed by the CA which we just imported.