google chrome - Using browser's certificate in java program

Question

I am trying to make HTTP GET request using HttpURLConnection in java. When I make get using browser it says me certificate is not trusted do you want to proceed. I accept certificate and GET request get data. but i am getting certificate exception in java( given below )

What i understood from this exception is, I need to download that certificate and put this java system property berfore making GET request.

My questions are.

1. How will download this certificate from browser?
2. Can I use browser's certificate store in my java program, what do I need to know to use that?
3. If i want to install certificate in my keystore then what do I need to do?

THANKS A LOT :)

I am trying to download certificate using keytool command. I do not have any idea where certificate is stored in server, but i gave the path of server which i use in browser and browser says certificate is not trusted.

URL gatewayServiceUrl = new URL("http://192.168.55.179:56400/nwa");
        HttpURLConnection connection = (HttpURLConnection) gatewayServiceUrl.openConnection();
        connection.setRequestMethod("GET");
        connection.setRequestProperty("Authorization", getExample.getBasicAuth());
        connection.connect();
        if (HttpURLConnection.HTTP_OK == connection.getResponseCode()) {
            System.out.println("success");
            System.out.println(getExample.getDataFromStream(connection.getInputStream()));
        } else {
            System.out.println("success");
            System.out.println(getExample.getDataFromStream(connection.getErrorStream()));
        }
        System.out.println(connection.getResponseCode());






Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
    at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
    at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
    at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
    at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
    at sun.security.ssl.Handshaker.processLoop(Unknown Source)
    at sun.security.ssl.Handshaker.process_record(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(Unknown Source)
    at com.testweb.GetExample.main(GetExample.java:18)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
    at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
    at sun.security.validator.Validator.validate(Unknown Source)
    at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
    ... 12 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
    at java.security.cert.CertPathBuilder.build(Unknown Source)

Answer 1

You have to add the issuer CA's of your server certificate (or directly the server certificate in case of for example your cds is selfsigned) to the truststore in order to avoid PKIX path builder exception.

By default java truststore is on JAVA_HOME/jre/lib/security/cacerts (you can specify another trust store with javax.net.ssl.trustStore property).

To do this, first download the server certificate. You can download the server certificate for example with Chrome connecting to the server url and click on the green lock, then select the tab connection and click on certificate information:

Then save this certificate on disc.

Now you have to add this certificate to java trust store, you can do it with java keytool (if is in your path use keytool if not keytool is on JAVA_HOME/bin/keytool):

keytool -import -trustcacerts -alias myServerCertificate -file path/myServerCert.crt -keystore JAVA_HOME/jre/lib/security/cacerts

The default password for cacerts is: changeit

Hope this helps,