{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 Explosion°爆炸 的问题《Import Windows certificates to Java》','https://www.manongdao.com/q-577170.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I have a java server that is trying to connect to an external Ldap server through SSL (as a client in order to perform queries).
I'm having trouble connecting since the certificate they send me upon connecting is trusted only in my local windows Truststore but is not present in java truststore (cacerts).
Is there a way to tell Java to trust any certificate that windows would have trust?
Or, alternatively, is there a way to import all trusted certificates from windows truststore to Java's cacerts?
Any idea would be appreciated.
Solution
On Windows, set the following JVM properties:
I’ve successfully tested this with Java 7, which runs on a 64-bit Windows installation which trusts a self-signed CA.
Configuring the security provider
If the above solution works for you (it should), you may skip this section. Otherwise, check the setup of your Java Cryptography Extension (JCE), which is bundled with modern JDKs. Your JDK installation should have a property file which contains a list of security providers. The location of that file may vary with Java versions; mine is located at
"%JAVA_HOME%\jre\lib\security\java.security". Inside that file, locate a set of properties whose names begin withsecurity.provider. One of those entries should be set tosun.security.mscapi.SunMSCAPI.Example
To set the properties at runtime, use the following Java code:
Explanation
javax.net.ssl.trustStoreType
On Windows, Java ships with SunMSCAPI, a security provider which is actually a wrapper around the Windows CAPI.
Setting the
javax.net.ssl.trustStoreTypeproperty toWindows-ROOTinstructs Java to refer to the native Windows ROOT keystore for trusted certificates, which includes root CAs. (Similarly, settingjavax.net.ssl.keyStoreTypetoWindows-MYtells Java to refer to the native Windows MY keystore for user-specific certificates and their corresponding keys).javax.net.ssl.trustStore
If the
javax.net.ssl.trustStoreTypeproperty is set toWindows-ROOT, one would expect that the value ofjavax.net.ssl.trustStoreis ignored, and that it can be set to e. g.NONE. Some users report that this approach doesn’t work for them though.One common workaround for this issue is to set
javax.net.ssl.trustStoretoNONE, and then creating a dummy file whose file name isNONE. If you find yourself affected by this quirk, try settingjavax.net.ssl.trustStoretoNULso you won’t have to create any dummy files.No, you have to use the JVM default at
jre/lib/security/cacertsor set your own truststore:There is no any automatic process, but you could build a program to extract trusted authorities from windows certificate store and import into a truststore configured to use in your application (modifying cacerts is not recommended)