connecting to self signed SSL certificate from Java on Debian/Ubuntu

You want to connect to self signed SSL certificate from Java using the standard HttpsURLConnection and you are getting this error, because the self signed certificate is obviously not recognized by Java :

SEVERE: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1639)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:215)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:209)

it seems that there is a lot of ‘solutions’ (read hack) or workaround around the web which is resumed well on this stack overflow article.

There is actually a very easy (and secure) way on Debian based systems.

– Go to your https url with Firefox
– Right Click to ‘View Page Info’
– In ‘Security’ tab you will see a button saying ‘View Certificate’
– Click now on the ‘Details’ tab
– Finally click on the ‘Export’ button which offer you to save the PEM certifcate of the website somewhere on your filesystem.

Call it my.self.signed.domain.name.pem or whatever my.self.signed.domain.name should be and put the file in /etc/ssl/certs now you just have to run the command :

sudo update-ca-certificates

and it should add your certificate to the java keystore, you can check it with the command (Enter for Password) :

keytool -list -v -keystore /etc/ssl/certs/java/cacerts

3 thoughts on “connecting to self signed SSL certificate from Java on Debian/Ubuntu”

  1. nice article, a few notes:

    – you should install the file in /usr/local/share/ca-certificates with crt extensiuon (to be picked up by update-ca-certificates)

  2. Thanks man, I wish I would have found your article first. Still two notes : First, it seems that at least for my Ubuntu 12.04 installation jugbucuresti is right that it actually needs to be in /usr/local/share/ca-certificates, as /etc/ssl/certs is actually stuffed with symbolic links to this dir and its non-local counterpart by update-ca-certificates. Second: It needs to have a suffix .crt instead of .pem to be actually picked up.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.