Java сертификаты не установлены

Добавление корневого сертификата в Java

При подключении к Web-кабинету в браузерах Google Chrome и Firefox появляется предупреждение системы безопасности Java о том, что сертификат запускаемого приложения не является доверенным (рис. 1).

Рисунок 1 – предупреждение безопасности Java

Данные сообщения открываются, если корневой сертификат Московской Биржи не добавлен в Справочник Java, независимо от того, внесен ли он в список доверенных сертификатов ОС Windows, или нет (см. раздел Добавление корневого сертификатов в список доверенных). Для добавления корневого сертификат Московской Биржи moex.cer в Справочник Java, необходимо выполнить следующее:

открыть Панель управления Windows → Java Control Panel → Security (рис. 2,1);

Рисунок 2 – вкладка Безопасность

нажать кнопку Manage Certificates. (рис. 2,2). В результате откроется окно импортирования сертификата (рис. 3);
Рисунок 3 – окно импортирования сертификата

выбрать Secure site CA из раскрывающего списка (см. рис. 3,1) и нажать кнопку Import (см. рис. 3,2). В результате откроется окно (рис. 4), в котором следует перейти в папку где расположен сертификат Московской Биржи, выбрать файл сертификата (рис. 4,1) и нажать кнопку Open (рис. 4,2).
Рисунок 4 – выбор сертификата Московской биржи Выбранный сертификат отобразится в окне импортирования сертификатов (рис. 5,1);
Рисунок 5 – результат добавления сертификата

нажать кнопку Close (см. рис. 5,2);

нажать кнопку Ок для применения настроек (рис. 6).

Рисунок 6 – вкладка Безопасность

Источник

How to import a public SSL certificate into a JVM

Platform notice: Server and Data Center only. This article only applies to Atlassian products on the server and data center platforms .

The content on this page relates to platforms which are not supported. Consequently, Atlassian Support cannot guarantee providing any support for it. Please be aware that this material is provided for your information only and using it is done so at your own risk.

Problem

When connecting two servers via HTTPS, the public SSL certificate from each server must be added to the other server’s JVM truststore.

Resolution

There are 2 ways to import a public SSL certificate into a JVM:

Using Portecle

This is a third-party application and not supported by Atlassian.

If running on a Linux/UNIX server, X11 will need to be forwarded when connecting to the server (so you can use the GUI), as below:

Select the Examine menu and then click Examine SSL/TLS Connection:

Enter the SSL Host and Port of the target system:

Wait for it to load, then select the public certificate and click on PEM:

Export the certificate and save it.

Go back to the main screen and select the Open an existing keystore from disk option, select the truststore file (for example $JAVA_HOME/lib/security/cacerts ) then enter the password (the default is changeit ).

Select the Import a trusted certificate into the loaded keystore button:

Select the certificate that was saved in step 6 and confirm that you trust it, giving it an appropriate alias (e.g.: confluence).

1. You may hit this error:
   
2. If so, hit OK, and then accept the certificate as trusted.

Save the keystore to disk:

Restart your application.

Test that you can connect to the host.

Command Line Installation

1. Fetch the certificate, replacing google.com with the FQDN of the server your application is attempting to connect to:

openssl s_client -connect google.com:443 -servername google.com < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >public.crt

openssl s_client -connect google.com:443 -servername google.com < NUL | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >public.crt

If you are under a redirection domain page, you must specify always -servername in order to ensure we are loading the correct domain, otherwise, openssl takes the first SSL cert it receives, when it should be the second cert that belongs to your domain.

The command above will only be executed if you have Sed for Windows as well as OpenSSL installed on your environment. If you don’t have Sed or OpenSSL or you don’t want to install it, use the instructions below as an alternative. Issue the following command:

openssl s_client -connect google.com:443 -servername google.com

Save the output to a file called public.crt. Edit the the public.crt file so it contains only what is between the BEGIN CERTIFCATE and END CERTIFICATE lines. This is how your file should look like after you edited it:

-----BEGIN CERTIFICATE----- < Certificate content as fetched by the command line. Don't change this content, only remove what is before and after the BEGIN CERTIFICATE and END CERTIFICATE. That's what your Sed command is doing for you :-) >-----END CERTIFICATE-----

keytool for fetching a certificate does not support Server Name Indication (SNI). If you need to specify a server name to get the correct certificate, please use openssl instead.

$JAVA_HOME/bin/keytool -printcert -sslserver google.com:443 -rfc >> public.crt

%JAVA_HOME%/bin/keytool -printcert -sslserver google.com:443 -rfc >> public.crt

/bin/keytool -importcert -alias -keystore /jre/lib/security/cacerts -file public.crt

/bin/keytool -importcert -alias -keystore /lib/security/cacerts -file public.crt

Then enter the password if prompted (the default is changeit ).

Note: If the cacerts file already has a certificate for the same server name, the import may fail with the following error:

keytool error: java.lang.Exception: Certificate not imported, alias already exist

If this happens, you first need to remove the existing certificate from cacerts before re-trying to import the new certificate.
To remove the existing certificate, you can use the command below:

/bin/keytool -delete -alias -keystore /jre/lib/security/cacerts

/bin/keytool -delete -alias -keystore /lib/security/cacerts

Alternative TrustStore Locations

Java will normally use a system-wide truststore:

• Java 8: $JAVA_HOME/jre/lib/security/cacerts
• Java 11: $JAVA_HOME/lib/security/cacerts

However it is possible to use a different truststore by specifying a parameter, — Djavax.net.ssl.trustStore=/path/to/truststore , where ‘ /path/to/truststore ‘ is the absolute file path of the alternative truststore. Information on how to configure JIRA startup variables can be found here.

However, setting this is not recommended because if Java is told to use a custom truststore (eg. containing a self-signed certificate), then Java will not have access to the root certificates of signing authorities found in $JAVA_HOME/jre/lib/security/cacerts , and accessing most CA-signed SSL sites will fail. It is better to add new certificates (eg. self-signed) to the system-wide truststore (as above).

Debugging

Problems are typically one of two forms:

• The certificate was installed into the incorrect truststore.
• The truststore does not contain the certificate of the SSL service you’re connecting to.

Description	When connecting two servers via HTTPS, the public SSL certificate from each server must be loaded on to the other server.
Product	Jira, Confluence, Bamboo, Bitbucket

Источник

How to import a CA root certificate into the JVM trust store

Web browsers and application runtimes, such as Java, have a special local database of recognised Certificate Authorities (CA). Each time an SSL/TLS connection is made, that database is queried in order to validate a server’s claimed identity (typically represented by its domain name).

If you try to make a secure connection (e.g. HTTPS or LDAPS) and the server doesn’t respond with a certificate issued by a recognised authority, the connection will fail with the following exception:

CertPathBuilderException: unable to find valid certification path to requested target 

If your company has its own CA, or, if you want to make SSL/TLS connections to a server in possession of a certificate issued by a CA which you recognise and trust, but is not listed in the default Java trust store, you will need to import the CA’s root certificate.

We recently encountered such a case when a user of the online OpenID Connect client was not able to connect to a web server which has a certificate issued by the StartCom CA. The root certificate of StartCom is recognised by browsers, but for some reason has not been included in the default JVM trust store.

Instructions for importing a CA root certificate into the JVM trust store

Step 1. Obtain the root certificate

For StartCom the root certificate was made available at http://www.startssl.com/certs/ca.pem, in PEM format. Certificates contain public information and CAs always make them available for download.

Step 2. Convert the root certificate to DER format

This can be done with help of the openssl toolkit, where ca.pem is the original certificate filename in PEM format, and ca.der the filename to output, in DER format (which the Java keytool utility can understand). If you were able to obtain the root certificate in DER format, skip this step.

openssl x509 -in ca.pem -inform pem -out ca.der -outform der 

Step 3. Validate the root certificate content

Ensure that the Java keytool can parse the certificate and display its content:

keytool -v -printcert -file ca.der 

Step 4. Import the root certificate into the JVM trust store

Enter the following command where $JAVA_HOME is a shell environment variable that points to your Java installation, e.g. to /usr/lib/jvm/java-7-oracle ; for -alias pick some unique name for the certificate in the store:

keytool -importcert -alias startssl -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -file ca.der 

(the default password for the CA store is changeit )

The keytool will prompt you for confirmation, enter yes to complete the operation.

Step 5. Verify that the root certificate has been imported

To do that list the trust store content and filter for the certificate alias (name) with grep :

keytool -keystore "$JAVA_HOME/jre/lib/security/cacerts" -storepass changeit -list | grep startssl 

You will now be able to make secure SSL/TLS connections to servers which have a certificate signed by the CA which we just imported.

Источник