Get certificate and add it to a Java truststore, when only having https URL?

Question

I'm trying to send push notifications to Android devices through the Google Cloud Message servers.

The URL we use to do that is:

https://android.googleapis.com/gcm/send

In our entreprise applications, we do not use the default CA authorities and we add manually each entity we trust for security reason, in a truststore file loaded by SSLContext properties. I'd like to add GCM certificate to our truststore.

I don't know how to get the certificate from that URL. It seems the Chrome/Firefox export way is not working since the page redirects to another non-SSL page.

Someone has a solution?

Answer 1

I've been able to save the certificates through the following Java code:

public void testConnectionTo(String aURL) throws Exception {
        URL destinationURL = new URL(aURL);
        HttpsURLConnection conn = (HttpsURLConnection) destinationURL.openConnection();
        conn.connect();
        Certificate[] certs = conn.getServerCertificates();
        System.out.println("nb = " + certs.length);
        int i = 1;
        for (Certificate cert : certs) {
            System.out.println("");
            System.out.println("");
            System.out.println("");
            System.out.println("################################################################");
            System.out.println("");
            System.out.println("");
            System.out.println("");
            System.out.println("Certificate is: " + cert);
            if(cert instanceof X509Certificate) {
                try {
                    ( (X509Certificate) cert).checkValidity();
                    System.out.println("Certificate is active for current date");
                    FileOutputStream os = new FileOutputStream("/home/sebastien/Bureau/myCert"+i);
                    i++;
                    os.write(cert.getEncoded());
                } catch(CertificateExpiredException cee) {
                    System.out.println("Certificate is expired");
                }
            } else {
                System.err.println("Unknown certificate type: " + cert);
            }
        }
    }

And import them to the truststore:

keytool -import -alias GoogleInternetAuthority -file myCert1 -keystore truststore

Answer 2

If you have openssl you can use

openssl s_client -connect android.googleapis.com:443

s_client is a "generic SSL/TLS client which connects to a remote host using SSL/TLS", and among other things it prints out the server certificate it received from the remote server. It isn't an HTTP client, so it doesn't know to follow the 301 redirect, it'll just give you the certificate of the initial server you connected to.