Using Mozilla's Certificate Authority List for Java SSL
Every so often you run into an issue where you need to import a certificate signing authority's certificate into Java's
cacerts certificate authority file. Oracle does a update the cacerts file every so often, but they never seam to be as up to date as a browser like FireFox.
Mozilla, the folks that make FireFox and other great internet software have a rigorous process for approving certificate signing authorities before allowing their software to trust the certificates they sign. Once a certificate has been approved it makes it way into the NSS (Network Security Services) libraries which is what FireFox and other software use to determine if they can trust a particular cert. The certificates can be found in the NSS source code: here.
Lots of linux /open source software uses Mozilla's list of certificate authorities, most notably is
curl -- they have also built a nice utility to grab mozilla's source code and build a PEM file called
So we can use this utility to build a file that can replace the
cacerts file that java ships with. We will use one additional utility called keyutil to convert the certificate file into a JKS (java keystore) file format. You could also potentially use openssl to convert the PEM file to PKCS12 and then import it using java's
Here's a shell script that builds the a java keystore out of the mozilla trusted certificate authority list.
#!/bin/sh curl -o certdata.txt 'https://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1' perl mk-ca-bundle.pl -n > ca-bundle.crt java -jar keyutil-0.4.0.jar --import --new-keystore trustStore.jks --password changeit --import-pem-file ca-bundle.crt
Now you can specify the JVM arguments to have it use the new SSL certificate authority file:
If you specified a password other than
changeit you will also need to pass the password into the JVM arguments:
- How to Resolve Java HTTPS Exceptions - November 21, 2018
- Bookmarklets and Search Plugins for javadocs.org - May 12, 2004
- Updating Java on ColdFusion or Lucee
- ColdFusion returning empty response with server-error: true
- Careful applying CF11u16, CF2016u8, CF2018u2
- Sessions don't work in Chrome but do in IE
- csrfVerifyToken does not invalidate the token
- The cf_sql_ is optional in cfqueryparam
- Cookie Expires / Max-Age 1969-12-31T23:59:59.000Z
- Burst Throttling on AWS API Gateway Explained