Introduction
In this tutorial we will test the behaviour of javax.net.ssl.trustStore
option.
The objective is to check whether -Djavax.net.ssl.trustStore
option append or replace the default java keystore being used by java.
javax.net.ssl.trustStore behaviour test plan
- Create HttpsUrlReader app to test https connection to two sites, https://helloworld.letsencrypt.org/ (Signed by let’s encrypt) and https://icanhazip.com (signed by Comodo)
- Using default trust store /etc/ssl/certs/java/cacerts connect to both sites above.
- Remove Let’s Encrypt Root certificates (ISRG and DST / TrustID) from default cacerts. Connection to https://helloworld.letsencrypt.org/ will be failed but connection to https://icanhazip.com will be successful.
- Create new keystore with contents ISRG and DST root certificates.
- Use the new keystore to connect, connection to https://helloworld.letsencrypt.org/ will be successful but connection to https://icanhazip.com (and other sites using SSL certs not issued by let’s encrypt and DST / TrustCA will be failed.
javax.net.ssl.trustStore Step By Step Test
1. Install openjdk-8-jdk on Ubuntu 16.04
sudo apt-get install openjdk-8-jdk
2. Create HttpsUrlReader
app . Source code can be found in this link
3. Check connections without providing custom keystore (both will succeed)
java HttpsUrlReader https://icanhazip.com
java HttpsUrlReader https://helloworld.letsencrypt.org
4. Remove Let’s Encrypt Root certificates
sudo keytool -delete -alias debian:isrg_root_x1.pem -keystore /etc/ssl/certs/java/cacerts
sudo keytool -delete -alias debian:dst_root_ca_x3.pem -keystore /etc/ssl/certs/java/cacerts
Note:
To search alias we can list all certificates inside keystore using command below.
keytool -list -v -keystore /etc/ssl/certs/java/cacerts | grep Alias
5. Check connection without providing custom keystore (icanhazip.com will succeed, helloworld.letsencrypt.org will fail)
java HttpsUrlReader https://icanhazip.com
java HttpsUrlReader https://helloworld.letsencrypt.org
6. Download ISRG And DST / TrustID Root
wget -c https://raw.githubusercontent.com/letsencrypt/website/master/static/certs/isrgrootx1.pem
wget -c https://raw.githubusercontent.com/letsencrypt/website/master/static/certs/trustid-x3-root.pem
7. Add ISRG and DST root to new keystore named customKeystore
keytool -import -trustcacerts -alias debian:isrg_root_x1.pem -file isrgrootx1.pem -keystore customKeystore
keytool -import -trustcacerts -alias debian:dst_root_ca_x3.pem -file trustid-x3-root.pem -keystore customKeystore
new keystore customKeystore
will be created on current working directory.
8. Check connection using new customKeystore
. Let’s encrypt will success, icanhazip.com will fail
java -Djavax.net.ssl.trustStore=customKeystore -Djavax.net.debug=ssl HttpsUrlReader https://icanhazip.com
java -Djavax.net.ssl.trustStore=customKeystore HttpsUrlReader https://helloworld.letsencrypt.org
Conclusion
When we provide javax.net.ssl.trustStore
option to java application, the default keystore will not be used. The custom trust store passed by javax.net.ssl.trustStore
option replace the default keystore.