ansaurus

Question

How do I import a new Java CA cert without using the keytool command line utility?

Answer 1

+1 A:

I don't know if that is possible, but you could implement your own TrustManager to allow this connection or this CA. Here are the basics.

Yishai 2009-10-30 15:48:43

That could work for us. The link suggests a way to entirely disable verification which isn't what we want exactly but maybe I could sublcass the normal TrustManager to make one which tries all regular root certificates plus one. Thanks, this looks promising.

Alexander Ljungberg 2009-10-30 17:55:50

Answer 2

A:

If you want to install the certificate to the trusted root's keystore on the desktop machine, you will need permission to do that. It's the same with the keytool, you need a password to access the trusted root's keystore. If you want to be quick-n-dirty, you can

write the certificate to a file or a byte stream or whatever
import using KeyTool class (sun.security.tools.KeyTool)

But IMHO if the certificate is not valid, then it is not trustworthy. I would say there's a good reason for that.

Miguel Ping 2009-10-30 15:48:55

It's valid according to Firefox and Internet Explorer. Java just comes with its own key store instead of using the OS provided one, and I suppose the Java version doesn't include the latest comers to the SSL market.

Alexander Ljungberg 2009-10-30 16:18:35

There are cases, where this is reasonable: In our company, we use our own CA internally - naturally it's not trusted by default (browser etc. complain). Importing this CA certificate is much easier than adding exceptions for single certificates all over the place.

sfussenegger 2009-10-30 16:21:24

Answer 3

A:

IMHO, Sun has not exposed keytool via an API, primarily to prevent developers from modifying the set of trusted CAs. I can very imagine attackers exploiting such code to insert their own root certificates into the trust store compromising the very model of the trust store.

In fact, if you look at the source of the KeyTool class (sun.security.tools package), not only is it final, it also has a private constructor preventing any caller from creating an instance of the KeyTool class from code. KeyTool does have a main method, making the commandline (and hence an OS user) possibly the only manner in which one can initialize and communicate with KeyTool.

The only (simplistic) approaches left would be:

Initialize keytool as a process from the application, and pass commandline arguments to install the root CA certificate. This alone is a bad idea, and I would recommend notifying the user as to what is occuring.
Avoid the use of keytool and instead provide users with instructions on how to install the root CA using Keyman or KeyTool IUI. Speaking for myself only here, I prefer the latter.

Vineet Reynolds 2009-10-30 16:59:33

For the technical level of our users, automatic no questions asked installation is the only option that'd spare us from "your application is broken, fix it" kind of support questions.

Alexander Ljungberg 2009-10-30 17:50:31

Regarding the philosophical question of whether applications should be allowed to modify the keystore the answer has to be of course -- otherwise the keytool itself couldn't work. Access to the operation could be controlled by a security manager perhaps. Alas, I digress. The design decisions behind this don't matter as much as the search for a practical solution. Thanks for the pointers either way.

Alexander Ljungberg 2009-10-30 17:54:07

I had forgotten to mention another alternative - using your own trust store which could contain all the root CAs that you wish. You can get the JVM to use that truststore via the javax.net.ssl.trustStore property.

Vineet Reynolds 2009-10-30 21:28:11

Answer 4

A:

You could always invoke KeyTool as a process Runtime.exec(...)

Richard Perfect 2009-10-30 20:24:41

ansaurus

tags:

views:

answers:

How do I import a new Java CA cert without using the keytool command line utility?

related questions