javax.net.ssl.trustStore Option Behaviour

Introduction

In this tutorial we will test the behaviour of javax.net.ssl.trustStore option.

The objective is to check whether -Djavax.net.ssl.trustStore option append or replace the default java keystore being used by java.

javax.net.ssl.trustStore behaviour test plan

1. Create HttpsUrlReader app to test https connection to two sites, https://helloworld.letsencrypt.org/ (Signed by let’s encrypt) and https://icanhazip.com (signed by Comodo)
2. Using default trust store /etc/ssl/certs/java/cacerts connect to both sites above.
3. Remove Let’s Encrypt Root certificates (ISRG and DST / TrustID) from default cacerts. Connection to https://helloworld.letsencrypt.org/ will be failed but connection to https://icanhazip.com will be successful.
4. Create new keystore with contents ISRG and DST root certificates.
5. Use the new keystore to connect, connection to https://helloworld.letsencrypt.org/ will be successful but connection to https://icanhazip.com (and other sites using SSL certs not issued by let’s encrypt and DST / TrustCA will be failed.

javax.net.ssl.trustStore Step By Step Test

1. Install openjdk-8-jdk on Ubuntu 16.04

sudo apt-get install openjdk-8-jdk

2. Create HttpsUrlReader app . Source code can be found in this link

3. Check connections without providing custom keystore (both will succeed)

java HttpsUrlReader https://icanhazip.com
java HttpsUrlReader https://helloworld.letsencrypt.org

4. Remove Let’s Encrypt Root certificates

sudo keytool -delete -alias debian:isrg_root_x1.pem -keystore /etc/ssl/certs/java/cacerts
sudo keytool -delete -alias debian:dst_root_ca_x3.pem -keystore /etc/ssl/certs/java/cacerts

Note:

To search alias we can list all certificates inside keystore using command below.

keytool -list -v -keystore /etc/ssl/certs/java/cacerts | grep Alias

5. Check connection without providing custom keystore (icanhazip.com will succeed, helloworld.letsencrypt.org will fail)

java HttpsUrlReader https://icanhazip.com
java HttpsUrlReader https://helloworld.letsencrypt.org

6. Download ISRG And DST / TrustID Root

wget -c https://raw.githubusercontent.com/letsencrypt/website/master/static/certs/isrgrootx1.pem
wget -c https://raw.githubusercontent.com/letsencrypt/website/master/static/certs/trustid-x3-root.pem

7. Add ISRG and DST root to new keystore named customKeystore

keytool -import -trustcacerts -alias debian:isrg_root_x1.pem -file isrgrootx1.pem -keystore customKeystore

keytool -import -trustcacerts -alias debian:dst_root_ca_x3.pem -file trustid-x3-root.pem -keystore customKeystore

new keystore customKeystore will be created on current working directory.

8. Check connection using new customKeystore. Let’s encrypt will success, icanhazip.com will fail

java -Djavax.net.ssl.trustStore=customKeystore -Djavax.net.debug=ssl HttpsUrlReader https://icanhazip.com

java -Djavax.net.ssl.trustStore=customKeystore HttpsUrlReader https://helloworld.letsencrypt.org

Conclusion

When we provide javax.net.ssl.trustStore option to java application, the default keystore will not be used. The custom trust store passed by javax.net.ssl.trustStore option replace the default keystore.

References

• http://www.herongyang.com/PKI/HTTPS-Java-javax-net-ssl-trustStore-System-Property.html
• https://bhaskarvk.github.io/2008/05/some-useful-java-system-properties/