javagoogle-chromesslengine

How to create an SSLEngine with all the same public keys/certs from chrome, firefox or any browser?


Is there anyway to create the SSLEngine using the certs that are installed with Chrome? I remember by default it has quite a few authority public certs installed.

I would think, since chrome works with all the websites that I know of, that would be a bit more exhaustive and it's easier to just install chrome and rely on that.

thanks, Dean


Solution

  • From what I gather each browser uses it's own certificate storage. There are basically three solutions: one static, one dynamic and one "good enough". Here we go:

    1. Static solution - you read documentation, find out how to read certificates (or whole chains) from browsers' storage, export them by hand and import them all into Java's cacerts storage or your custom one.

    2. Dynamic solution - basically same thing as above, but you do it during application startup.

    3. Lazy but good-enough solution - you do nothing and hope that certificates in cacerts JKS are nearly identical to those in browser, be it Chrome, Firefox, Opera or IE.

    But note the following: https://bugzilla.mozilla.org/show_bug.cgi?id=1265113 also it seems that on Windows Chrome reads certificates from Windows' certificates store, so in reality your application should probably read system certificate store and use it: on Linux there is /usr/share/ca-certificates and to start with Windows you could try: https://superuser.com/questions/411909/where-is-the-certificate-folder-in-windows-7

    Unfortunately it seems that implementation could be pretty convoluted - but hey!, it makes pretty good open source project :)