javax.net.ssl.trustStore Option Behaviour
Posted on March 10, 2021 (Last modified on March 17, 2025) • 2 min read • 336 wordsIn this tutorial we will test the behaviour of `javax.net.ssl.trustStore` option. The objective is to check whether `-Djavax.net.ssl.trustStore` option append or replace the default java keystore being used by java.
Introduction
In this tutorial we will test the behaviour of javax.net.ssl.trustStore option.
The objective is to check whether -Djavax.net.ssl.trustStore option append or replace the default java keystore being used by java.
javax.net.ssl.trustStore behaviour test plan
- Create HttpsUrlReader app to test https connection to two sites, https://helloworld.letsencrypt.org/ (Signed by let’s encrypt) and https://icanhazip.com (signed by Comodo)
- Using default trust store /etc/ssl/certs/java/cacerts connect to both sites above.
- Remove Let’s Encrypt Root certificates (ISRG and DST / TrustID) from default cacerts. Connection to https://helloworld.letsencrypt.org/ will be failed but connection to https://icanhazip.com will be successful.
- Create new keystore with contents ISRG and DST root certificates.
- Use the new keystore to connect, connection to https://helloworld.letsencrypt.org/ will be successful but connection to https://icanhazip.com (and other sites using SSL certs not issued by let’s encrypt and DST / TrustCA will be failed.
javax.net.ssl.trustStore Step By Step Test
1.Install openjdk-8-jdk on Ubuntu 16.04
sudo apt-get install openjdk-8-jdk2.Create <strong>HttpsUrlReader</strong> app . Source code can be found in
this link.
3.Check connections without providing custom keystore (both will succeed)
java HttpsUrlReader https://icanhazip.com
java HttpsUrlReader https://helloworld.letsencrypt.org4.Remove Let’s Encrypt Root certificates
sudo keytool -delete -alias debian:isrg_root_x1.pem -keystore /etc/ssl/certs/java/cacerts
sudo keytool -delete -alias debian:dst_root_ca_x3.pem -keystore /etc/ssl/certs/java/cacertsNote:
To search alias we can list all certificates inside keystore using command below.
keytool -list -v -keystore /etc/ssl/certs/java/cacerts | grep Alias5.Check connection without providing custom keystore (icanhazip.com will succeed, helloworld.letsencrypt.org will fail)
java HttpsUrlReader https://icanhazip.com
java HttpsUrlReader https://helloworld.letsencrypt.org6.Download ISRG And DST / TrustID Root
wget -c https://raw.githubusercontent.com/letsencrypt/website/master/static/certs/isrgrootx1.pem
wget -c https://raw.githubusercontent.com/letsencrypt/website/master/static/certs/trustid-x3-root.pem7.Add ISRG and DST root to new keystore named customKeystore
keytool -import -trustcacerts -alias debian:isrg_root_x1.pem -file isrgrootx1.pem -keystore customKeystore
keytool -import -trustcacerts -alias debian:dst_root_ca_x3.pem -file trustid-x3-root.pem -keystore customKeystorenew keystore <strong>customKeystore</strong> will be created on current working directory.
8.Check connection using new <strong>customKeystore</strong>. Let’s encrypt will success, icanhazip.com will fail
java -Djavax.net.ssl.trustStore=customKeystore -Djavax.net.debug=ssl HttpsUrlReader https://icanhazip.com
java -Djavax.net.ssl.trustStore=customKeystore HttpsUrlReader https://helloworld.letsencrypt.orgConclusion
When we provide javax.net.ssl.trustStore option to java application, the default keystore will not be used. The custom trust store passed by javax.net.ssl.trustStore option replace the default keystore.