Skip to content

Latest commit

 

History

History
39 lines (30 loc) · 1.64 KB

README.md

File metadata and controls

39 lines (30 loc) · 1.64 KB

SSLPoke

Java tool for testing validity (certificates) of trust stores

Usage:

java -Djavax.net.ssl.trustStore=<client-truststore-path> SSLPoke <target-hostname> <port>

Example:

java -Djavax.net.ssl.trustStore=/path/to/app/client-truststore.jks SSLPoke mydomain.com 443
  • If the server certificate is trusted by the client-truststore it will print,
Successfully connected
  • Othwerwise it will print print an exception like this.
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  • SSL DEBUG logs can be generated in the following way to throubleshoot the root cause of the failure.
java -Djavax.net.ssl.trustStore=/path/to/app/client-truststore.jks -Djavax.net.debug=ssl:handshake SSLPoke mydomain.com 443
  • To import the public certificate of the server into the client-truststore, we can follow the steps below.
openssl s_client -showcerts -connect mydomain.com:443 < /dev/null | openssl x509 -outform PEM > mydomain.com.pem

keytool -import -trustcacerts -alias mydomain.com -file mydomain.com.pem -keystore client-truststore.jks

Additionally, note that if the server certificate is a CA-signed certificate, we can just add the relevant root certificate instead of the end-cert or intermediate certs. (ref)

The original code came from https://confluence.atlassian.com/download/attachments/117455/SSLPoke.java