0

I have a requirement where I need to run a Java-based HTTP server on SSL and connect to that from browsers. I also need to make sure that browsers don't show the security exception for self-signed certificate.

I did the following -

  1. Generated a JKS keystore using Java keytool -keygen.
  2. Imported that keystore as a PKCS12 p12 file, using keytool -importkeystore.

  3. Loaded the p12 file in to a X509Certificate2 object and added that to Root and CertificateAuthority

    X509Store store5 = new X509Store(StoreName.Root, StoreLocation.LocalMachine); store5.Open(OpenFlags.ReadWrite); store5.Add(cert); store5.Close(); X509Store store2 = new X509Store(StoreName.CertificateAuthority, StoreLocation.LocalMachine); store2.Open(OpenFlags.ReadWrite); store2.Add(cert); store2.Close();

  4. Exported a certificate file from JKS keystore.

  5. Added that .cer file to cacerts of Java.

Now when I run the HTTP server, it picks the certificate and serves HTTPS requests, but the browser still shows the site as untrusted.

Fildor
  • 14,510
  • 4
  • 35
  • 67
Nitin Tomer
  • 19
  • 1
  • 6
  • 1
    I'm voting to close this question as off-topic because what you want to do is impossible. –  Aug 01 '16 at 09:11
  • 1
    I suggest you read more about how SSL works I really don't like people meddling with security stuff they don't have a clue about with the goal to not have any error messages not to build a secure product. – dryman Aug 01 '16 at 09:19
  • I do understand the risk involved. The situation here is such that is require. I have a web app, which needs to do certain things on local machine. For which I will install a HTTP server on local machine, and the web will connect to it. For that I need the browser to trust the certificate. – Nitin Tomer Aug 01 '16 at 09:34
  • This is an enterprise application and users will be aware of the risk involved. – Nitin Tomer Aug 01 '16 at 09:34

2 Answers2

1

Of course it is impossible. The whole purpose of the error message of the browser is to alert the user that the website is using certificate that is unsafe.

After you send the certificate request to the CA. you should bet the CA certificate along with a "bundle" which is two or more certificates chained (concatanated) and you install that into the jks (java keystore) and the browser will accept your website as secure

There are numerous resources on this topic available through your favorite search engine...

Sharon Ben Asher
  • 13,849
  • 5
  • 33
  • 47
  • (I am not the downvoter) I guess it is because your answer is correct only if you add "without importing the certificate in the browser". Which I guess you did not take into account. Personally I would have written a comment though in preference of DV. – Fildor Aug 01 '16 at 09:16
  • 1
    Impossible indeed. SSL relies on a chain of trusts: a trusted organisation issuing a certificate to another and so on. Otherwise a certificate could be forged. Naturally this is also a cheap way to print money. – Joop Eggen Aug 01 '16 at 09:18
  • Please suggest a way how can my requirements be met with a CA provided certificate. I need to run a HTTP server on every client machine, which will listen to requests from my webapp. – Nitin Tomer Aug 01 '16 at 09:36
  • "need to run a HTTP server on every client machine" ? surely you got it backwards. your webapp is running inside the HTTP server. anyway, see edited answer – Sharon Ben Asher Aug 01 '16 at 09:44
  • I need to do some stuff on the client machine, which will be triggered by my WebApp. To achieve this, I am installing a very light-weight HTTP server on every client machine. WebApp would call this local web server, which will trigger an operation on client machine. – Nitin Tomer Aug 01 '16 at 09:52
  • seems like what you need is a messaging system, where the server can initiate a communication with the clients http://docs.oracle.com/javaee/6/tutorial/doc/bncdq.html – Sharon Ben Asher Aug 01 '16 at 10:56
  • How will a messaging system work between a Web application and client machine? – Nitin Tomer Aug 02 '16 at 03:14
1

Nitin , the option here is to install the certificate that you generated on the browser. You have not specified which browser , i am taking IE as a example. You can import the certificates.

Please Please Note : I am importing them to a trusted store because , i know i created them and i trust the issuer of the certificate. Never do that for untrusted 3rd party sites. Additionally you may want to add the site as a trusted site with lesser security if you trust it

enter image description here

Ramachandran.A.G
  • 4,788
  • 1
  • 12
  • 24
  • I know that it could be done this way. But I want to add this silently, when the HTTP server would be installed. So that user doesn't get a prompt later on. – Nitin Tomer Aug 01 '16 at 09:35
  • You can install the cert by command line: https://technet.microsoft.com/en-us/library/cc732061(v=ws.10).aspx – Marco A. Hernandez Aug 01 '16 at 10:56
  • @NitinTomer Quick Q then , since your clients can be on any machine and the machines each have their own policies for web security , how can you centrally manage them with a certificate on web Server ? If you use a certificate issued by a "trusted CA" - verisign/thwate or someone similar you have a chance. With selfsigned certificates , you cannot do it on all client machines that access your site – Ramachandran.A.G Aug 01 '16 at 11:01
  • @Ramchandran The main web application will run on a central server and will use a certificate provided by a trusted CA. I need to trigger scanning on client machine, from web app. For that I am using a local HTTP server, which uses a self-signed certificate. I need to make the browsers trust this certificate. – Nitin Tomer Aug 02 '16 at 03:12