top of page

Subscribe to Wisdom

Thanks for Subscribing!

Writer's picturePuru Uttam

Tomcat SSL Handshake

Requirement is to restrict application deployed in tomcat container to access all public certificates & make SSL handshake with only organization provided certificate.

By default all Trusted Certificate Authorities are stored is a Java keystore file [cacerts] placed at

<Java Installation Path>\jdk1.<version>/jre/lib/security/cacerts

containing all trusted SSL certificate issued by Certificate Authority & web application deployed on tomcat can access all external web services (SOAP or REST) (https) or applications. Requirement is to restrict tomcat to use only organization specific certificates. To achieve the business case, we need to override the cacert file. To do this, need to create a new file that contains only required trusted certificate. Place the newly created file at

${CATALINA_BASE}/conf/cacerts

. This file contains no entries to start off. Once above is done, application deployed on tomcat will start throwing SSLHandshakeException for all other certificate (if application is using those) that are not listed in cacerts. Exception seen is

javax.net.ssl.SSLHandshakeException:sun.security.validator.ValidatorException:PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:unable to find valid certification path to requested target

For doing above first we need to first download the trusted certificate from browser in .cer format To trust a new Certificate Authority:

  • View the certificate presented by the server

  • Find the Certificate Authority that issued the certificate

  • Download the certificate of the Certificate Authority that issued the certificate

  • Import the Certificate Authority’s certificate in to the trusted list as test.cer

Steps to add certificate to the trusted list

  • Open Command prompt (cmd) in administrative mode

  • Navigate to /conf

  • Check the current certificates numbers in trusted list (if any, may be you are doing for first time, so skip his step) by running command

keytool -list -keystore cacerts > d:\beforecerts.txt
  • open beforecerts.txt & see of number of imported certificates - Your keystore contains n entries

  • Issue the following command to import the certificate test.cer

keytool -import -trustcacerts -alias <aliasname> -file <location>\test.cer -keystore cacerts
  • Check again current certificates numbers in trusted list

keytool -list -keystore cacerts > d:\aftercerts.txtopen aftercerts.txt
  • open aftercerts.txt & number of imported certificates - It should be incremented by 1

Now try to hit an external application that uses certificate that is not trusted by your tomcat & vice versa.

21 views0 comments

Recent Posts

See All

Comments


Modern Digital Watch
bottom of page