Sunday, December 28, 2008

Java and SSL Certificates

Overview


I have a Linux box at home, running Apache 2.2, that I use to archive pictures. I use an application called Gallery as a front end to organize and view the photos. I'm using a Java application called Gallery Remote to upload pictures to the server. I've also added SSL encryption so that the username and password, to access the site, are not sent in the clear.

Problem and Solution


The problem was that Gallery Remote wasn't able to connect to the server. It seemed to be having problems with the SSL certificate I had on the web server. I was using a self-signed SSL certificate, so that was definitely possible. I checked out the SSL certificate and found that it was expired. I regenerated a new certificate using the instructions on the Apache Website. The relevant text is shown below.

How do I create a self-signed SSL Certificate for testing purposes?

  1. Make sure OpenSSL is installed and in your PATH.

  2. Run the following command, to create server.key and
    server.crt files:
    $ openssl req -new -x509 -nodes -out server.crt
    -keyout server.key
    These can be used as follows in your httpd.conf
    file:
                 SSLCertificateFile    /path/to/this/server.crt
                 SSLCertificateKeyFile /path/to/this/server.key


  3. It is important that you are aware that this
    server.key does not have any passphrase.
    To add a passphrase to the key, you should run the following
    command, and enter & verify the passphrase as requested.

    $ openssl rsa -des3 -in server.key -out
    server.key.new
    $ mv server.key.new server.key


    Please backup the server.key file, and the passphrase
    you entered, in a secure location.



After restarting the webserver, I was still having problems with Gallery Remote. I then found out that Java has it's own repository of trusted SSL certificates. My SSL certificate was a self-signed certificate, so it definitely wasn't in the default SSL Certificate trust list. One method of adding the certificate is by going through the Java control panel. Another method is to add it through the command line. This was described on the Gallery Remote FAQ page. The relevant text is shown below.

Using HTTPS

You can use https:// URLs with Gallery Remote to connect to secured web sites. This functionality is only available on Java 1.4 and later. If the site you are attempting to connect to uses a server certificate that is not certified by a trusted certificate authority, Gallery Remote will be unable to connect. If this happens, you will need to add the site's certificate to the Java registry of trusted certificates:

For Windows:
  1. Go to the site with Internet Explorer
  2. Go to menu File>Properties
  3. In the Properties window, click Certificates
  4. On the Details tab, click Copy to File...
  5. In the wizard, select DER-encoded X.509 certificate and save it to a
    file
  6. Open a console window (cmd.exe)
  7. Type the following command-line:

     keytool -import -trustcacerts -file path_to_cer_file 
-keystore %JAVA_HOME%/jre/lib/security/cacerts -alias arbitrary_name

You'll be prompted for the store password, which by default is 
changeit


I used that and it worked. It's interesting to note that Java uses it's own keystore and that there's a default password used if using the command line.
Posted by Rob Chee at 10:54 AM
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)