Option Behaviour


In this tutorial we will test the behaviour of option.

The objective is to check whether option append or replace the default java keystore being used by java. behaviour test plan

  1. Create HttpsUrlReader app to test https connection to two sites, (Signed by let’s encrypt) and (signed by Comodo)
  2. Using default trust store /etc/ssl/certs/java/cacerts connect to both sites above.
  3. Remove Let’s Encrypt Root certificates (ISRG and DST / TrustID) from default cacerts. Connection to will be failed but connection to will be successful.
  4. Create new keystore with contents ISRG and DST root certificates.
  5. Use the new keystore to connect, connection to will be successful but connection to (and other sites using SSL certs not issued by let’s encrypt and DST / TrustCA will be failed. Step By Step Test

1. Install openjdk-8-jdk on Ubuntu 16.04

sudo apt-get install openjdk-8-jdk

2. Create HttpsUrlReader app . Source code can be found in this link

3. Check connections without providing custom keystore (both will succeed)

java HttpsUrlReader
java HttpsUrlReader

4. Remove Let’s Encrypt Root certificates

sudo keytool -delete -alias debian:isrg_root_x1.pem -keystore /etc/ssl/certs/java/cacerts
sudo keytool -delete -alias debian:dst_root_ca_x3.pem -keystore /etc/ssl/certs/java/cacerts


To search alias we can list all certificates inside keystore using command below.

keytool -list -v -keystore /etc/ssl/certs/java/cacerts | grep Alias

5. Check connection without providing custom keystore ( will succeed, will fail)

java HttpsUrlReader
java HttpsUrlReader

6. Download ISRG And DST / TrustID Root

wget -c
wget -c

7. Add ISRG and DST root to new keystore named customKeystore

keytool -import -trustcacerts -alias debian:isrg_root_x1.pem -file isrgrootx1.pem -keystore customKeystore

keytool -import -trustcacerts -alias debian:dst_root_ca_x3.pem -file trustid-x3-root.pem -keystore customKeystore

new keystore customKeystore will be created on current working directory.

8. Check connection using new customKeystore. Let’s encrypt will success, will fail

java HttpsUrlReader

java HttpsUrlReader


When we provide option to java application, the default keystore will not be used. The custom trust store passed by option replace the default keystore.


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.