Can I create self-signed certificate in Java which will be automatically trusted by web browsers?

Question

I've generated a self-signed certificate for my Java app using keytool. However, when I go to the site in a browser it always pops up with a warning - saying this site does not own the certificate - is there a way to self-sign/doctor a certificate so I won't get these warnings in a browser? Both server and browser are located on the same host and I navigate to the site using "http://localhost/". I do not want to add an exception to the browser because I have tests which run on a big build farm so it is excessive to add an exception to all browsers on all build machines.

Answer 1

No, you can't. You might as well ask "How can I make a fake certificate for hsbc.com?"

There are two ways to get a browser to accept a certificate:

• Buy a certificate for a domain from a trusted authority (which means proving to that authority that you own that domain) and then use that domain as the name of your test servers
• Install your signing certificate into the browsers, so that you effectively become a trusted authority for that browser.

Without touching the browsers, there's no other way to do it - how could there be, if the internet is to remain secure?

Answer 2

You could also setup a self-signed Certificate Authority (CA) using OpenSSL or possibly your Java tool. You can then use that CA to sign a number of server certs.

You are still going to need to manually trust your self-signed CA on all clients that access your test servers, but at least you only have to trust one root CA, rather than a bunch of individual self-signed server certs.

Another option is to check out CAcert.