openssl ssl-certificate keystore keytool spring-annotations

Spring Boot SSL: How To Trust All Valid Certificates

Is there a possibility to trust my cerificiates automatically without manually adding them in the truststore?

In Spring Boot with SSL enabled, I want to use a REST service like Google APIs or Facebook. I have to add the certificate in the Truststore. OpenSSL gets the certificate. Keytool imports to Truststore.

> openssl s_client -connect googleapis.com:443 
> keytool.exe -import -noprompt -trustcacerts  -alias googleapis.com -file googleapis.com.cer -keystore app-server.p12 -storepass *****

The problem is that it's very inconvenient to manage, when the certificate expires I have to update the certificates in the truststore everytime. There's also this error I sometimes get, even if I add the right certificate. I need a truststore because I use self-signed certificates generated with Keytool. Without, my services cannot communicate with each other.

Error

Caused by: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target

SSL Configuration

ssl:
    enabled: true
    key-store: classpath:keystore/app-server.p12
    key-store-password: ******
    key-alias: app-server
    key-store-type: PKCS12
    trust-store: classpath:keystore/app-server.p12
    trust-store-password: *****
    trust-store-type: PKCS12
    keyStorePath: config/keystore/app-server.p12

Main class snippet

private static String keyStorePath;
private static String keyStorePassword;

@Value("${server.ssl.keyStorePath}")
public void setKeyStorePath(String keyStorePath) {
    ClientUiApplication.keyStorePath = keyStorePath;
}

@Value("${server.ssl.key-store-password}")
public void setKeyStorePassword(String keyStorePassword) {
    ClientUiApplication.keyStorePassword = keyStorePassword;
}

public static void main(String[] args) {
    SpringApplication.run(ClientUiApplication.class, args);
    System.setProperty("javax.net.ssl.trustStore", keyStorePath);
    System.setProperty("javax.net.ssl.trustStorePassword", keyStorePassword);
}

Solution

You give the code:

public static void main(String[] args) {
    SpringApplication.run(ClientUiApplication.class, args);
    System.setProperty("javax.net.ssl.trustStore", keyStorePath);
    System.setProperty("javax.net.ssl.trustStorePassword", keyStorePassword);
}

This means that you force the java trust store to be the trust store you provide. The default trust store is not in use anymore.

So yes, you have to add every needed root certificates in this trust store to not have the issue you describe.

Why do you need to have a specific trust store?

If there is no use, remove that.
If you have a specific additional certificate you have to trust, you'd better add this certificate to the default trust store (the jre/lib/security/cacerts file)