javax.net.ssl.trustStore Option Behaviour

Introduction

In this tutorial we will test the behaviour of javax.net.ssl.trustStore option. The objective is to check whether -Djavax.net.ssl.trustStore option append or replace the default java keystore being used by java.

javax.net.ssl.trustStore behaviour test plan

1. Create HttpsUrlReader app to test https connection to two sites, https://helloworld.letsencrypt.org/ (Signed by let’s encrypt) and https://icanhazip.com (signed by Comodo)
2. Using default trust store /etc/ssl/certs/java/cacerts connect to both sites above.
3. Remove Let’s Encrypt Root certificates (ISRG and DST / TrustID) from default cacerts. Connection to https://helloworld.letsencrypt.org/ will be failed but connection to https://icanhazip.com will be successful.
4. Create new keystore with contents ISRG and DST root certificates.
5. Use the new keystore to connect, connection to https://helloworld.letsencrypt.org/ will be successful but connection to https://icanhazip.com (and other sites using SSL certs not issued by let’s encrypt and DST / TrustCA will be failed.

javax.net.ssl.trustStore Step By Step Test

1. Install openjdk-8-jdk on Ubuntu 16.04

   sudo apt-get install openjdk-8-jdk

2. Create HttpsUrlReader app. Source code can be found in this link.

3. Check connections without providing custom keystore (both will succeed)

   java HttpsUrlReader https://icanhazip.com
   java HttpsUrlReader https://helloworld.letsencrypt.org

4. Remove Let’s Encrypt Root certificates

   sudo keytool -delete -alias debian:isrg_root_x1.pem -keystore /etc/ssl/certs/java/cacerts
   sudo keytool -delete -alias debian:dst_root_ca_x3.pem -keystore /etc/ssl/certs/java/cacerts

   Note: To search alias we can list all certificates inside keystore using command below.

   keytool -list -v -keystore /etc/ssl/certs/java/cacerts | grep Alias

5. Check connection without providing custom keystore (icanhazip.com will succeed, helloworld.letsencrypt.org will fail)

   java HttpsUrlReader https://icanhazip.com
   java HttpsUrlReader https://helloworld.letsencrypt.org

6. Download ISRG And DST / TrustID Root

   wget -c https://raw.githubusercontent.com/letsencrypt/website/master/static/certs/isrgrootx1.pem
   wget -c https://raw.githubusercontent.com/letsencrypt/website/master/static/certs/trustid-x3-root.pem

7. Add ISRG and DST root to new keystore named customKeystore

   keytool -import -trustcacerts -alias debian:isrg_root_x1.pem -file isrgrootx1.pem -keystore customKeystore
   keytool -import -trustcacerts -alias debian:dst_root_ca_x3.pem -file trustid-x3-root.pem -keystore customKeystore

   A new keystore customKeystore will be created in the current working directory.

8. Check connection using new customKeystore. Let’s encrypt will succeed, icanhazip.com will fail

   java -Djavax.net.ssl.trustStore=customKeystore -Djavax.net.debug=ssl HttpsUrlReader https://icanhazip.com
   java -Djavax.net.ssl.trustStore=customKeystore HttpsUrlReader https://helloworld.letsencrypt.org

Conclusion

When we provide javax.net.ssl.trustStore option to java application, the default keystore will not be used. The custom trust store passed by javax.net.ssl.trustStore option replace the default keystore.

References

• Java HTTPS connection example
• Let’s Encrypt Root Certificates