Making Self-Signed Certificates Trusted

JDK Tutorials - Herong's Tutorial Examples - Version 6.02, by Dr. Herong Yang

JDK Tutorials - Herong's Tutorial Examples

∟SSL Socket Communication Testing Programs

∟Making Self-Signed Certificates Trusted

This section provides a tutorial example on how to make a self-signed certificate trusted during a SSL socket communication.

One way to resolve the self-signed certificate problem shown in the previous section, is to pre-install the server's public key on the client machine and define it as a trusted certificate:

On the server side, export my public key out as a certificate.
One the client side, import the server's public key into a key store file.
Run the SSL client program with the key store file as trusted. This can be done by using "-Djavax.net.ssl.trustStore=myKeyStore.jks" as java option.

Here is what I did on the server side:

keytool.exe -exportcert -alias my_home -file my_home.crt 
   -keystore herong.jks -storepass HerongJKS
   
Certificate stored in file <my_home.crt>

>"send my_home.crt to the client machine..."

Here is what I did on the client side:

>"receive my_home.crt from the server machine..."

>keytool.exe -importcert -alias herong_home -file my_home.crt 
   -keystore public.jks -storepass PublicJKS

Owner: CN=Herong Yang, OU=My unit, O=My home, L=My city, ST=My sta...
Issuer: CN=Herong Yang, OU=My unit, O=My home, L=My city, ST=My st...
Serial number: 42266fba
Valid from: Sat Jul 05 21:00:26 EST 2014 until: ...
Certificate fingerprints:
         MD5:  55:2C:5B:49:47:CB:61:40:FD:1A:3C:B7:16:6C:8E:7E
         SHA1: EC:B6:77:A1:21:9F:7E:AE:AF:B0:7C:AC:C5:B7:24:B7:45:...
Trust this certificate? [no]:  y
Certificate was added to keystore

Now run SslReverseEchoer.java again. Then run SslSocketClient with public.jks:

>java -cp . -Djavax.net.ssl.trustStore=public.jks
   SslSocketClient

Socket class: class com.sun.net.ssl.internal.ssl.SSLSocketImpl
   Remote address = localhost/127.0.0.1
   Remote port = 8888
   Local socket address = /127.0.0.1:2187
   Local address = /127.0.0.1
   Local port = 2187
   Need client authentication = false
   Cipher suite = TLS_DHE_DSS_WITH_AES_128_CBC_SHA
   Protocol = TLSv1
Welcome to SSL Reverse Echo Server. Please type in some words.
Hello world!
!dlrow olleH
It works!
!skrow tI
.

Congratulations! We have successfully used JSSE to create a SSL socket communication.

Note that:

Even I specified SSL when constructing the SSLContext object, the final protocol used in the communication is TLSv1. I don't know why.
Client authentication is not used.

Last update: 2014.

Table of Contents

About This JDK Tutorial Book

Downloading and Installing JDK 1.8.0 on Windows

Downloading and Installing JDK 1.7.0 on Windows

Downloading and Installing JDK 1.6.2 on Windows

Java Date-Time API

Date, Time and Calendar Classes

Date and Time Object and String Conversion

Number Object and Numeric String Conversion

Locales, Localization Methods and Resource Bundles

Calling and Importing Classes Defined in Unnamed Packages