You can use the Apple JCA Provider to use the OSX keychain as the java trust store. Just start the JVM with the following system property: -Djavax.net.ssl.trustStoreType=KeychainStore You can set this property for every started JVM using the JAVA_TOOL_OPTIONS environment variable, as described in hagrawal’s answer.
Working code ( in jdk1.6.0_23) for #1. Imports import javax.net.ssl.HttpsURLConnection; import javax.net.ssl.SSLContext; import javax.net.ssl.TrustManager; import javax.net.ssl.X509TrustManager; import java.security.cert.X509Certificate; The actual trust all TrustManager code. TrustManager trm = new X509TrustManager() { public X509Certificate[] getAcceptedIssuers() { return null; } public void checkClientTrusted(X509Certificate[] certs, String authType) { } public void checkServerTrusted(X509Certificate[] certs, String authType) { } }; SSLContext … Read more
Using keytool, create a random key pair: keytool -genkeypair -alias boguscert -storepass storePassword -keypass secretPassword -keystore emptyStore.keystore -dname “CN=Developer, OU=Department, O=Company, L=City, ST=State, C=CA” then delete it keytool -delete -alias boguscert -storepass storePassword -keystore emptyStore.keystore review its contents: $ keytool -list -keystore emptyStore.keystore -storepass storePassword Keystore type: JKS Keystore provider: SUN Your keystore contains 0 … Read more
I followed This link. 1.Generate keystore(At server): keytool -genkey -alias bmc -keyalg RSA -keystore KeyStore.jks -keysize 2048 2.Generate new ca-cert and ca-key: openssl req -new -x509 -keyout ca-key -out ca-cert 3.Extracting cert/creating cert sign req(csr): keytool -keystore KeyStore.jks -alias bmc -certreq -file cert-file 4.Sign the “cert-file” and cert-signed wil be the new cert: openssl x509 … Read more
The password is used to protect the integrity of a keystore. if you don’t provide any store password, you can still read the contents of the keystore. The command keytool -list demonstrates this behavior (use it with an empty password).
Trust store generally (actually should only contain root CAs but this rule is violated in general) contains the certificates that of the root CAs (public CAs or private CAs). You can verify the list of certs in trust store using keytool -list -v -keystore truststore.jks
You have a typo – it is trustStore. Apart from setting the variables with System.setProperty(..), you can also use -Djavax.net.ssl.keyStore=path/to/keystore.jks
From Java™ Secure Socket Extension (JSSE) Reference Guide, TrustManagerFactory uses the following steps to try to find trust material: system property javax.net.ssl.trustStore java-home/lib/security/jssecacerts java-home/lib/security/cacerts (shipped by default) I think this is based on convention over configuration concept. Without extra coding effort, cacert will be used. For extra private CA/Signing certs, a developer either can use … Read more
In case if you need to make a REST call you can use the next way. This will work for outgoing calls through RestTemplate. Declare the RestTemplate bean like this. @Configuration public class SslConfiguration { @Value(“${http.client.ssl.trust-store}”) private Resource keyStore; @Value(“${http.client.ssl.trust-store-password}”) private String keyStorePassword; @Bean RestTemplate restTemplate() throws Exception { SSLContext sslContext = new SSLContextBuilder() .loadTrustMaterial( … Read more
This is also a problem in Python 3.6 with MacOS Sierrra. I know your use case is different. But I stumbled upon this thread while investigating this problem. So if anyone is also having this article is worth checking out: SSLError with Python 3.6.x on macOS Sierra In a nutshell: Python 3.6 does not rely … Read more