Does Java support Let’s Encrypt certificates?

by

[Update 2016-06-08: According to https://bugs.openjdk.java.net/browse/JDK-8154757 the IdenTrust CA will be included in Oracle Java 8u101.]

[Update 2016-08-05: Java 8u101 has been released and does indeed include the IdenTrust CA: release notes]

Does Java support Let’s Encrypt certificates?

Yes. The Let’s Encrypt certificate is just a regular public key certificate. Java supports it (according to Let’s Encrypt Certificate Compatibility, for Java 7 >= 7u111 and Java 8 >= 8u101).

Does Java trust Let’s Encrypt certificates out of the box?

No / it depends on the JVM. The truststore of Oracle JDK/JRE up to 8u66 contains neither the Let’s Encrypt CA specifically nor the IdenTrust CA that cross signed it. new URL("https://letsencrypt.org/").openConnection().connect(); for example results in javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException.

You can however provide your own validator / define a custom keystore that contains the required root CA or import the certificate into the JVM truststore.

https://community.letsencrypt.org/t/will-the-cross-root-cover-trust-by-the-default-list-in-the-jdk-jre/134/10 discusses the topic as well.

Here is some example code that shows how to add a certificate to the default truststore at runtime. You’ll just need to add the certificate (exported from firefox as .der and put in classpath)

Based on How can I get a list of trusted root certificates in Java? and http://developer.android.com/training/articles/security-ssl.html#UnknownCa

import java.io.BufferedInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.net.URL;
import java.net.URLConnection;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;

import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLHandshakeException;
import javax.net.ssl.TrustManagerFactory;

public class SSLExample {
    // BEGIN ------- ADDME
    static {
        try {
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            Path ksPath = Paths.get(System.getProperty("java.home"),
                    "lib", "security", "cacerts");
            keyStore.load(Files.newInputStream(ksPath),
                    "changeit".toCharArray());

            CertificateFactory cf = CertificateFactory.getInstance("X.509");
            try (InputStream caInput = new BufferedInputStream(
                    // this files is shipped with the application
                    SSLExample.class.getResourceAsStream("DSTRootCAX3.der"))) {
                Certificate crt = cf.generateCertificate(caInput);
                System.out.println("Added Cert for " + ((X509Certificate) crt)
                        .getSubjectDN());

                keyStore.setCertificateEntry("DSTRootCAX3", crt);
            }

            if (false) { // enable to see
                System.out.println("Truststore now trusting: ");
                PKIXParameters params = new PKIXParameters(keyStore);
                params.getTrustAnchors().stream()
                        .map(TrustAnchor::getTrustedCert)
                        .map(X509Certificate::getSubjectDN)
                        .forEach(System.out::println);
                System.out.println();
            }

            TrustManagerFactory tmf = TrustManagerFactory
                    .getInstance(TrustManagerFactory.getDefaultAlgorithm());
            tmf.init(keyStore);
            SSLContext sslContext = SSLContext.getInstance("TLS");
            sslContext.init(null, tmf.getTrustManagers(), null);
            SSLContext.setDefault(sslContext);
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }
    // END ---------- ADDME

    public static void main(String[] args) throws IOException {
        // signed by default trusted CAs.
        testUrl(new URL("https://google.com"));
        testUrl(new URL("https://www.thawte.com"));

        // signed by letsencrypt
        testUrl(new URL("https://helloworld.letsencrypt.org"));
        // signed by LE's cross-sign CA
        testUrl(new URL("https://letsencrypt.org"));
        // expired
        testUrl(new URL("https://tv.eurosport.com/"));
        // self-signed
        testUrl(new URL("https://www.pcwebshop.co.uk/"));

    }

    static void testUrl(URL url) throws IOException {
        URLConnection connection = url.openConnection();
        try {
            connection.connect();
            System.out.println("Headers of " + url + " => "
                    + connection.getHeaderFields());
        } catch (SSLHandshakeException e) {
            System.out.println("Untrusted: " + url);
        }
    }

}

More Related Contents:

  1. Using SSLContext with just a CA certificate and no keystore
  2. How can I use different certificates on specific connections?
  3. why doesn’t java send the client certificate during SSL handshake?
  4. Import PEM into Java Key Store
  5. Using a custom truststore in java as well as the default one
  6. java – path to trustStore – set property doesn’t work?
  7. What is Keystore?
  8. How to build a SSLSocketFactory from PEM certificate and key without converting to keystore?
  9. Java: Loading SSL Keystore via a resource
  10. Setting multiple truststore on the same JVM
  11. How do I list / export private keys from a keystore?
  12. Can we load multiple Certificates & Keys in a Key Store?
  13. Https Connection Android
  14. How to import a .cer certificate into a java keystore?
  15. How to handle invalid SSL certificates with Apache HttpClient? [duplicate]
  16. Ignoring SSL certificate in Apache HttpClient 4.3
  17. How to check certificate name and alias in keystore files?
  18. How to create a BKS (BouncyCastle) format Java Keystore that contains a client certificate chain
  19. Using client/server certificates for two way authentication SSL socket on Android
  20. SSL peer shut down incorrectly in Java
  21. How can I get a list of trusted root certificates in Java?
  22. How to ignore PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException?
  23. PKIX path building failed in Java application
  24. Enabling specific SSL protocols with Android WebViewClient
  25. How to override the cipherlist sent to the server by Android when using HttpsURLConnection?
  26. How to use keystore in Java to store private key?
  27. java.io.IOException: Invalid Keystore format
  28. Using HTTPS with REST in Java
  29. javax.net.ssl.SSLException: SSL handshake aborted Connection reset by peer while calling webservice Android
  30. PKIX path building failed in Eclipse

Leave a Comment