tags:

views:

941

answers:

4
+5  Q: 

Can I create self-signed certificate in Java which will be automatically trusted by web browsers?

Hi,

I've generated a self-signed certificate for my Java app using keytool. However, when I go to the site in a browser it always pops up with a warning - saying this site does not own the certificate - is there a way to self-sign/doctor a certificate so I won't get these warnings in a browser? Both server and browser are located on the same host and I navigate to the site using "http://localhost/". I do not want to add an exception to the browser because I have tests which run on a big build farm so it is excessive to add an exception to all browsers on all build machines.

+11  A: 

No, you can't. You might as well ask "How can I make a fake certificate for hsbc.com?"

There are two ways to get a browser to accept a certificate:

  • Buy a certificate for a domain from a trusted authority (which means proving to that authority that you own that domain) and then use that domain as the name of your test servers
  • Install your signing certificate into the browsers, so that you effectively become a trusted authority for that browser.

Without touching the browsers, there's no other way to do it - how could there be, if the internet is to remain secure?

RichieHindle  2009-08-19 17:07:12
+1 for applying clue stick vigorously :-)
Stephen C  2009-08-19 22:44:20
-1 very unhelpful and unimaginative answer.
Corehpf  2009-09-02 00:32:45
@Corehpf - do you want an imaginative answer or the truth? There is NO WAY to get browsers to accept self-signed certs or certs signed by a non-root CA cert ... apart from installing them or the CA cert in your browsers.
Stephen C  2010-02-04 14:32:07
+1  A: 

Is the certificate you created for localhost or for test.textbox.com? If you create a certificate for the FQDN test.textbox.com, that's how you need to be reaching the server to not get those errors, as long as the certificate is properly signed. You can't generate a certificate for the FQDN and then use an IP or an alias (localhost) to access it without being warned that things aren't matching up properly. Or am I misunderstanding your problem?

MattC  2009-08-19 17:11:23
Note: Obviously test.testbox.com is just an example I used for this.
MattC  2009-08-19 17:12:31
He's doing self-signed certs (meaning they don't trace back to any of the well-known CAs), so by definition he can't have them automatically accepted. To have a cert accepted automatically by a browser, it has to trace back to a CA that the browser knows about.
Michael Kohne  2009-08-19 18:24:23
Yes but the error complaining that the site does not own the certificate indicates that the hostname the certificate was created for and whatever he is using to access that site are two different things. He said he's using localhost and I'm betting the cert is for the actual hostname of the server. That will cause red flags in most browsers as a security issue.
MattC  2009-08-19 19:15:51
+4  A: 

You could also setup a self-signed Certificate Authority (CA) using OpenSSL or possibly your Java tool. You can then use that CA to sign a number of server certs.

You are still going to need to manually trust your self-signed CA on all clients that access your test servers, but at least you only have to trust one root CA, rather than a bunch of individual self-signed server certs.

Another option is to check out CAcert.

Brian Kelly  2009-08-19 17:25:46
RichieHindle is correct. This method will not get rid of the warnings in the browser.
eman  2010-03-30 15:34:49
Good Answer Brian
sixtyfootersdude  2010-04-08 18:54:07
+1  A: 

Make the certificate for "localhost" instead. It needs to match the hostname you have in the URL.

You will still be bothered as the certificate is not trusted, but that is another issue.

Thorbjørn Ravn Andersen  2009-08-19 22:22:16

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java