Login/Register
Import Windows certificates to Java
Asked Answered
Solved javasslcertificatetruststore
O

2

23

I have a java server that is trying to connect to an external Ldap server through SSL (as a client in order to perform queries).

I'm having trouble connecting since the certificate they send me upon connecting is trusted only in my local windows Truststore but is not present in java truststore (cacerts).

Is there a way to tell Java to trust any certificate that windows would have trust?

Or, alternatively, is there a way to import all trusted certificates from windows truststore to Java's cacerts?

Any idea would be appreciated.

Ouellette answered 21/12, 2016 at 7:31 Comment(0)
C
8

Is there a way to tell Java to trust any certificate that windows would have trust?

Please check @synoly's answer

The JVM default is located at jre/lib/security/cacerts. You can set also your own truststore:

System.setProperty ("javax.net.ssl.trustStore", path_to_your_trustore_jks_file);
System.setProperty ("javax.net.ssl.trustStorePassword", "password");

is there a way to import all trusted certificates from windows truststore to Java's cacerts?

There is no any automatic process, but you could build a program to extract trusted authorities from windows certificate store and import into a truststore configured to use in your application (modifying cacerts is not recommended)

//Read Windows truststore
KeyStore ks = KeyStore.getInstance("Windows-ROOT");
ks.load(null, null) ;
Cholent answered 21/12, 2016 at 8:16 Comment(3)
Thanks for the reply. (1) So is it possible using the snippet you provided to add all the certificates from windows keystore into Java truststore IN Runtime? (I'm thinking about doing it when my java server starts) (2) Why isn't it recommended to modify cacerts?Ouellette
1) Yes, it is possible, but the changes will be available depending on when and how is loaded the trustoreCholent
2) Because cacerts will change between JVM distributions. If the system administrator install a new JVM you will lost all changes.Cholent
F
50

Solution

On Windows, set the following JVM properties:

javax.net.ssl.trustStore=NUL
javax.net.ssl.trustStoreType=Windows-ROOT

I’ve successfully tested this with Java 7, which runs on a 64-bit Windows installation which trusts a self-signed CA.

Configuring the security provider

If the above solution works for you (it should), you may skip this section. Otherwise, check the setup of your Java Cryptography Extension (JCE), which is bundled with modern JDKs. Your JDK installation should have a property file which contains a list of security providers. The location of that file may vary with Java versions; mine is located at "%JAVA_HOME%\jre\lib\security\java.security". Inside that file, locate a set of properties whose names begin with security.provider. One of those entries should be set to sun.security.mscapi.SunMSCAPI.

Example

To set the properties at runtime, use the following Java code:

System.setProperty("javax.net.ssl.trustStore", "NUL");
System.setProperty("javax.net.ssl.trustStoreType", "Windows-ROOT");

Explanation

javax.net.ssl.trustStoreType

On Windows, Java ships with SunMSCAPI, a security provider which is actually a wrapper around the Windows CAPI.

Setting the javax.net.ssl.trustStoreType property to Windows-ROOT instructs Java to refer to the native Windows ROOT keystore for trusted certificates, which includes root CAs. (Similarly, setting javax.net.ssl.keyStoreType to Windows-MY tells Java to refer to the native Windows MY keystore for user-specific certificates and their corresponding keys).

javax.net.ssl.trustStore

If the javax.net.ssl.trustStoreType property is set to Windows-ROOT, one would expect that the value of javax.net.ssl.trustStore is ignored, and that it can be set to e. g. NONE.

One common workaround for this issue is to set javax.net.ssl.trustStore to NONE, and then creating a dummy file whose file name is NONE. If you find yourself affected by this quirk, try setting javax.net.ssl.trustStore to NUL so you won’t have to create any dummy files.

Fustian answered 27/2, 2018 at 14:35 Comment(6)
Very new answer, but tested and approved for my use case (Intellij behind an HTTPS corporate proxy)Sherrisherrie
Are you sure that the link on "Some users report that this approach doesn’t work for them though." is correct?Julietajulietta
@Julietajulietta Strange. I remember double-checking the link when I wrote my answer but of course you’re right, it seems to be completely unrelated. I guess I’ll remove it from the answer.Fustian
Set the windows system environment variable JAVA_OPTS to "-Djavax.net.ssl.trustStore=NONE -Djavax.net.ssl.trustStoreType=Windows-ROOT" and then this will take effect for all JVMs you start.Becka
Where does one navigate to to actually set these properties?Slavophile
@MaxCascone This answer has a section named Example. Does that help?Fustian
C
8

Is there a way to tell Java to trust any certificate that windows would have trust?

Please check @synoly's answer

The JVM default is located at jre/lib/security/cacerts. You can set also your own truststore:

System.setProperty ("javax.net.ssl.trustStore", path_to_your_trustore_jks_file);
System.setProperty ("javax.net.ssl.trustStorePassword", "password");

is there a way to import all trusted certificates from windows truststore to Java's cacerts?

There is no any automatic process, but you could build a program to extract trusted authorities from windows certificate store and import into a truststore configured to use in your application (modifying cacerts is not recommended)

//Read Windows truststore
KeyStore ks = KeyStore.getInstance("Windows-ROOT");
ks.load(null, null) ;
Cholent answered 21/12, 2016 at 8:16 Comment(3)
Thanks for the reply. (1) So is it possible using the snippet you provided to add all the certificates from windows keystore into Java truststore IN Runtime? (I'm thinking about doing it when my java server starts) (2) Why isn't it recommended to modify cacerts?Ouellette
1) Yes, it is possible, but the changes will be available depending on when and how is loaded the trustoreCholent
2) Because cacerts will change between JVM distributions. If the system administrator install a new JVM you will lost all changes.Cholent

© 2022 - 2024 — McMap. All rights reserved.