Login/Register
Get certificate and add it to a Java truststore, when only having https URL?
Asked Answered
Solved javacertificategoogle-cloud-messagingtruststore
S

3

11

I'm trying to send push notifications to Android devices through the Google Cloud Message servers.

The URL we use to do that is:

https://android.googleapis.com/gcm/send

In our entreprise applications, we do not use the default CA authorities and we add manually each entity we trust for security reason, in a truststore file loaded by SSLContext properties. I'd like to add GCM certificate to our truststore.

I don't know how to get the certificate from that URL. It seems the Chrome/Firefox export way is not working since the page redirects to another non-SSL page.

Someone has a solution?

Selina answered 21/9, 2012 at 10:0 Comment(0)
P
4

Use Portecle. You can open the target key store, then use Examine > Examine SSL/TLS Connection, enter android.googleapis.com and 443 and you're done!

Pubis answered 21/9, 2012 at 10:42 Comment(2)
On my Linux server, I am facing similar issue.. How do I get certificate for this?Strephon
@Strephon I'd recommend asking this as a question, not in comments.Pubis
S
15

I've been able to save the certificates through the following Java code:

public void testConnectionTo(String aURL) throws Exception {
        URL destinationURL = new URL(aURL);
        HttpsURLConnection conn = (HttpsURLConnection) destinationURL.openConnection();
        conn.connect();
        Certificate[] certs = conn.getServerCertificates();
        System.out.println("nb = " + certs.length);
        int i = 1;
        for (Certificate cert : certs) {
            System.out.println("");
            System.out.println("");
            System.out.println("");
            System.out.println("################################################################");
            System.out.println("");
            System.out.println("");
            System.out.println("");
            System.out.println("Certificate is: " + cert);
            if(cert instanceof X509Certificate) {
                try {
                    ( (X509Certificate) cert).checkValidity();
                    System.out.println("Certificate is active for current date");
                    FileOutputStream os = new FileOutputStream("/home/sebastien/Bureau/myCert"+i);
                    i++;
                    os.write(cert.getEncoded());
                } catch(CertificateExpiredException cee) {
                    System.out.println("Certificate is expired");
                }
            } else {
                System.err.println("Unknown certificate type: " + cert);
            }
        }
    }

And import them to the truststore:

keytool -import -alias GoogleInternetAuthority -file myCert1 -keystore truststore
Selina answered 21/9, 2012 at 10:48 Comment(2)
The above code holds only if you already have installed the specific certificate in your jvm truststore. On any other case where the specific certificate is not known to your jvm truststore, conn.connect() throws a javax.net.ssl.SSLHandshakeExceptionAdvocate
Flush and close your outputstream.Isoline
K
11

If you have openssl you can use

openssl s_client -connect android.googleapis.com:443

s_client is a "generic SSL/TLS client which connects to a remote host using SSL/TLS", and among other things it prints out the server certificate it received from the remote server. It isn't an HTTP client, so it doesn't know to follow the 301 redirect, it'll just give you the certificate of the initial server you connected to.

Kendy answered 21/9, 2012 at 10:12 Comment(0)
P
4

Use Portecle. You can open the target key store, then use Examine > Examine SSL/TLS Connection, enter android.googleapis.com and 443 and you're done!

Pubis answered 21/9, 2012 at 10:42 Comment(2)
On my Linux server, I am facing similar issue.. How do I get certificate for this?Strephon
@Strephon I'd recommend asking this as a question, not in comments.Pubis

© 2022 - 2024 — McMap. All rights reserved.