3

With the same url, this ends up giving a verify return code 20 (unable to get local issuer of certificate):

openssl s_client -connect $URL:443 -showcerts -CAfile /etc/ssl/certs/java/cacerts

This gives a verify return code of 0:

openssl s_client -connect $URL:443 -showcerts -CApath /etc/ssl/certs

As does ... -CAfile /etc/ssl/certs/Thawte_Premium_Server_CA.pem.

But that cert is already in the java keystore. I need to be able to access the url from Java-land and I can't figure out what's going on. I'm a total n00b here so any help would be appreciated.

ben w
  • 131
  • 1
  • 6

1 Answers1

5

Tha cacerts file is a JKS-format keystore, which OpenSSL doesn't support (it's the standard keystore format for Java, but isn't commonly supported by non-Java utilities)

If you want to use openssl s_client with the certs from that keystore, you can extract them into a usable form with

keytool -list -rfc -keystore /etc/ssl/certs/java/cacerts > cacerts.pem

(the default password for the cacerts file is "changeit", but if you just want to see the public certs you can just enter a blank password and it will be fine)

andytech
  • 311
  • 1
  • 4