Using a Custom Certificate in JVM

Owned by Juliane Wetzel
Feb 07, 2020

Establish a connection using custom protocol (including http/https) to your own server which has self-signed or CAcert certificate. 

Troubleshooting

If you see the following error:

Cannot create connection. Reason is sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid connection...
PKIX path building failed
java.lang.RuntimeException: Cannot create connection. Reason is sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target, PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target, unable to find valid certification path to requested target
	at datameer.dap.sdk.datastore.FileDataStoreModel.testConnect(FileDataStoreModel.java:58

You need to store the server certificate within the Java VM. 

Storing a Server Certificate

Gather and import the root certificates of the particular authority. 

curl -k -o "cacert-root.crt"   "https://www.cacert.org/certs/root.crt"
curl -k -o "cacert-class3.crt" "https://www.cacert.org/certs/class3.crt"
echo $JAVA_HOME
sudo keytool -keystore ${JAVA_HOME}/lib/security/cacerts -storepass changeit -import -trustcacerts -v -alias cacertclass3 -file cacert-class3.crt
sudo keytool -keystore ${JAVA_HOME}/lib/security/cacerts -storepass changeit -import -trustcacerts -v -alias cacertclass1 -file cacert-root.crt

Gather and import the server certificate.

openssl s_client -connect www.<youraddress>.de:443 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM > <youraddress>.pem
sudo keytool -keystore ${JAVA_HOME}/lib/security/cacerts -storepass changeit -import -trustcacerts -v -alias <youraddress>cert -file <youraddress>.pem

The JVM doesn't support all possible keysizes. In JVM 1.6 the maximum is 1024bit. This can lead to an error.

java.lang.RuntimeException: Cannot create connection. Reason is java.lang.RuntimeException: Could not generate DH keypair, Could not generate DH keypair, Prime size must be multiple of 64, and can only range from 512 to 1024 (inclusive)
	at datameer.dap.sdk.datastore.FileDataStoreModel.testConnect(FileDataStoreModel.java:58)

This is enhanced according to JDK 8 Security Enhancements.