Wednesday, March 13, 2013

Visually Import SSL Certificates to Java Keystores

Working with SSL certs in Java, in particular those self-signed ones frequently found in dev & QA environments, usually means dealing with the command line keytool that comes with Java.  Either to add a certificate to a keystore (JKS file) or to add a new certificate authority to your truststore (cacerts file).  If you are tired of reading the keytool help or googling what the exact import command looks like (and have forgotten it in the year or so since you last had to deal with it), I recommend the GUI tool Portecle.  It makes it very easy to view the contents of a keystore/truststore file and to import new certificates, and it allows you to download public certificates right from within the tool.

To add a public key certificate to a keystore, open up the JKS file in Portecle, select Examine SSL/TLS Connection and type in the hostname and port number of the https site you would like add certificate from.  Then hit the PEM encoding button and save the certificate to a file.   Next click the Import Trusted Certificate button and select the file you exported and hit save.  That's it!

To add a trust for a new certificate authority in your truststore you open up your cacerts file (password most likely 'changeit') and add the CA certificate file via the Import Trusted Certificate button.  You will need to locate the CA certificate file on your app server and convert it to PEM format if it is not already in that format.  For example in WebLogic the CA file is located in the [WebLogic Home]/server/lib directory (CertGenCA.der by default).  In IIS you can export the CA file to PEM format through the IIS Management Console.  After importing the CA file to your cacerts file your JVM should trust certificates issued by that CA.