How do I import a new Java CA cert without using the keytool command line utility?

Question

Executive summary: how do I install a new root certificate into Java using Java code?

We have a desktop application which accesses various web services. Recently one of them switched their SSL certificate to one signed by Trustwave. While the Trustwave SSL certificates are accepted by regular internet browsers, Java does not seem to come with the prerequisite root certificates, and we lost access to the given web service with the following error message:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

We got a temporary reprieve by convincing the provider to switch back to Verisign but when they switch back we have to be ready. So I need our desktop software to automatically install the Trustwave root certificate as needed. Our customers are not tech savvy enough to use the keytool command and I would rather not script it since that strikes me as a fragile solution (separate implementations for Mac and PC, the struggle against Vista execution restrictions, trouble finding the correct JRE to install into, etc).

I imagine the keytool uses Java internally. What command could I use within Java to replicate the functionality of keytool and install the root certificate programmatically?

Answer 1

I don't know if that is possible, but you could implement your own TrustManager to allow this connection or this CA. Here are the basics.

Answer 2

If you want to install the certificate to the trusted root's keystore on the desktop machine, you will need permission to do that. It's the same with the keytool, you need a password to access the trusted root's keystore. If you want to be quick-n-dirty, you can

• write the certificate to a file or a byte stream or whatever
• import using KeyTool class (sun.security.tools.KeyTool)

But IMHO if the certificate is not valid, then it is not trustworthy. I would say there's a good reason for that.

Answer 3

IMHO, Sun has not exposed keytool via an API, primarily to prevent developers from modifying the set of trusted CAs. I can very imagine attackers exploiting such code to insert their own root certificates into the trust store compromising the very model of the trust store.

In fact, if you look at the source of the KeyTool class (sun.security.tools package), not only is it final, it also has a private constructor preventing any caller from creating an instance of the KeyTool class from code. KeyTool does have a main method, making the commandline (and hence an OS user) possibly the only manner in which one can initialize and communicate with KeyTool.

The only (simplistic) approaches left would be:

• Initialize keytool as a process from the application, and pass commandline arguments to install the root CA certificate. This alone is a bad idea, and I would recommend notifying the user as to what is occuring.
• Avoid the use of keytool and instead provide users with instructions on how to install the root CA using Keyman or KeyTool IUI. Speaking for myself only here, I prefer the latter.