Server Certificate Verification with OpenSSL

When connecting to a untrusted server. (e.g. during development) you'll not be able to connect to it with server certificate verification turned on.

$ openssl s_client -verify 1 -verify_return_error -connect
no peer certificate available
No client certificate CA names sent

No connection will be extablished. Grab the server certificate with openssl:

$ openssl s_client -connect 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'

save the server certificate as and use it as trusted certificate (CAfile):

$ openssl s_client -verify 1 -verify_return_error -CAfile -connect

This will allow you to connect to an untrusted development server with server certificate verification turned on.

To use the certificate with your current Java installation you can import the certificate into the Java keystore.

$ keytool -import -alias datenkollektiv -file -keystore ${JAVA_HOME}/jre/lib/security/cacerts
Enter keystore password:
Trust this certificate? [no]:  yes
Certificate was added to keystore

By the way the default password is changeit :)

Show Comments