Using Mozilla's Certificate Authority List for Java SSL
By Pete Freitag
Every so often you run into an issue where you need to import a certificate signing authority's certificate into Java's cacerts
certificate authority file. Oracle does a update the cacerts file every so often, but they never seam to be as up to date as a browser like FireFox.
Mozilla, the folks that make FireFox and other great internet software have a rigorous process for approving certificate signing authorities before allowing their software to trust the certificates they sign. Once a certificate has been approved it makes it way into the NSS (Network Security Services) libraries which is what FireFox and other software use to determine if they can trust a particular cert. The certificates can be found in the NSS source code: here.
Lots of linux /open source software uses Mozilla's list of certificate authorities, most notably is curl
-- they have also built a nice utility to grab mozilla's source code and build a PEM file called mk-ca-bundle
.
So we can use this utility to build a file that can replace the cacerts
file that java ships with. We will use one additional utility called keyutil to convert the certificate file into a JKS (java keystore) file format. You could also potentially use openssl to convert the PEM file to PKCS12 and then import it using java's keytool
executable.
Here's a shell script that builds the a java keystore out of the mozilla trusted certificate authority list.
#!/bin/sh curl -o certdata.txt 'https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt' perl mk-ca-bundle.pl -n > ca-bundle.crt java -jar keyutil-0.4.0.jar --import --new-keystore trustStore.jks --password changeit --import-pem-file ca-bundle.crt
Now you can specify the JVM arguments to have it use the new SSL certificate authority file:
-Djavax.net.ssl.trustStore=/path/to/trustStore.jks
If you specified a password other than changeit
you will also need to pass the password into the JVM arguments:
-Djavax.net.ssl.trustStorePassword=yourPassword
Using Mozilla's Certificate Authority List for Java SSL was first published on June 06, 2014.
If you like reading about java, ssl, mozilla, or certificate then you might also like:
Weekly Security Advisories Email
Advisory Week is a new weekly email containing security advisories published by major software vendors (Adobe, Apple, Microsoft, etc).