0
votes

I have a requirement where I need to run a Java-based HTTP server on SSL and connect to that from browsers. I also need to make sure that browsers don't show the security exception for self-signed certificate.

I did the following -

  1. Generated a JKS keystore using Java keytool -keygen.
  2. Imported that keystore as a PKCS12 p12 file, using keytool -importkeystore.
  3. Loaded the p12 file in to a X509Certificate2 object and added that to Root and CertificateAuthority

    X509Store store5 = new X509Store(StoreName.Root, StoreLocation.LocalMachine); store5.Open(OpenFlags.ReadWrite); store5.Add(cert); store5.Close(); X509Store store2 = new X509Store(StoreName.CertificateAuthority, StoreLocation.LocalMachine); store2.Open(OpenFlags.ReadWrite); store2.Add(cert); store2.Close();

  4. Exported a certificate file from JKS keystore.

  5. Added that .cer file to cacerts of Java.

Now when I run the HTTP server, it picks the certificate and serves HTTPS requests, but the browser still shows the site as untrusted.

2
I'm voting to close this question as off-topic because what you want to do is impossible. - user177800
I suggest you read more about how SSL works I really don't like people meddling with security stuff they don't have a clue about with the goal to not have any error messages not to build a secure product. - dryman
I do understand the risk involved. The situation here is such that is require. I have a web app, which needs to do certain things on local machine. For which I will install a HTTP server on local machine, and the web will connect to it. For that I need the browser to trust the certificate. - Nitin Tomer
This is an enterprise application and users will be aware of the risk involved. - Nitin Tomer

2 Answers

1
votes

Nitin , the option here is to install the certificate that you generated on the browser. You have not specified which browser , i am taking IE as a example. You can import the certificates.

Please Please Note : I am importing them to a trusted store because , i know i created them and i trust the issuer of the certificate. Never do that for untrusted 3rd party sites. Additionally you may want to add the site as a trusted site with lesser security if you trust it

enter image description here

1
votes

Of course it is impossible. The whole purpose of the error message of the browser is to alert the user that the website is using certificate that is unsafe.

After you send the certificate request to the CA. you should bet the CA certificate along with a "bundle" which is two or more certificates chained (concatanated) and you install that into the jks (java keystore) and the browser will accept your website as secure

There are numerous resources on this topic available through your favorite search engine...