0

Every year or thrice a month we have certificate updates for our various clients.

We need to open their website and in chrome view certificate and download as .der.

Everytime we hit keytool command and update it to cacerts on local for development and on Production for connection.

Is there way through "Java code" that we need to to download and update cacerts folder every time to prevent abrupt downtimes or any other way to do it?

fatherazrael
  • 5,511
  • 16
  • 71
  • 155
  • The short answer is: probably. I don't know of a ready-made solution so it probably needs to be customised. From which organisation are they getting their certs? – g00se May 23 '22 at 09:52
  • As hinted by @g00se if they use(d) certs from a properly-run CA this shouldn't be necessary. If it is, you _can_ write code with a dummy TrustManager that writes the cert before/without validating, but you can get nearly there with `keytool -printcert -rfc -sslserver $host[:$port] >file` -- this gets the cert _chain_, then you only need to pick out which cert you want and feed it back into `keytool -importcert` (or equivalent code). However, using keytool is out of scope for SO. – dave_thompson_085 May 23 '22 at 12:09

1 Answers1

1

Yes, although you should probably ask yourself questions on why you need to. Edge cases do abound and sometime it is simply necessary.

There is the Keystore API and you could write some code against that as detailed here: https://www.baeldung.com/java-keystore

You will, of course, need to ensure that correct checks and access control are in place, otherwise a bad actor could use this to modify your keystore and cause system to permit connect to/from things they shouldn't.

roadSurfer
  • 557
  • 1
  • 5
  • 17