« Hidden folders in OS X file dialogs | Main | Writing a marker interface in C++ »

Java, SSL and self-signed certificates

Posted by: Brian Pontarelli on 07/26/2008

Depending on the API you are using or how you are using SSL, you might have received an error stating that the certificate is invalid, not path to certificate, invalid certificate chain, no chain found, PKIK error, or something similar. This occurs when the certificate is self-signed or signed by an authority that has not been verified by the JDK you are using.

There is a simple way to handle this for self-signed certificates:

Open Firefox
Go to the site that is using SSL (i.e. https://svn.example.com)
Click on the lock down in the lower right corner of the browser window
Click the “View certificate” button
Click the details tab
Click the export button to export the certificate
Save the certificate in x.509 (PEM) format
Go to a command prompt
Add the certificate to the keystore

Here is the command to add the certificate to your global keystore:

*nix

$ keytool -import -keystore $JAVA_HOME/lib/security/cacerts -file <your-pem-export>
-alias <anything>

Windows

c:\> keytool -import -keystore %JAVA_HOME%/lib/security/cacerts -file <your-pem-export>
-alias <anything>

Brian Pontarelli's complete blog can be found at: http://brian.pontarelli.com

About Brian Pontarelli

Brian Pontarelli is the founder and president of Inversoft, a Colorado based software company. In addition to Inversoft, Brian works on many open source projects including Struts, Savant and Java.net commons. In the past, he was the president of the Chicago Java User Group and an enterprise architect for Orbitz.

Brian has been programming for many years and works primarily with Java and Ruby. He has published various articles in both print and online magazines about Java, J2EE security, Java Server Faces and NIO.

More About Brian »