Server Certificate Verification with OpenSSL

When connecting to a untrusted server. (e.g. during development) you'll not be able to connect to it with server certificate verification turned on.

$ openssl s_client -verify 1 -verify_return_error -connect datenkollektiv.de:443
...
---
no peer certificate available
---
No client certificate CA names sent
---
...

No connection will be extablished. Grab the server certificate with openssl:

$ openssl s_client -connect datenkollektiv.de:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'

save the server certificate as datenkollektiv.de.pem and use it as trusted certificate (CAfile):

$ openssl s_client -verify 1 -verify_return_error -CAfile datenkollektiv.de.pem -connect datenkollektiv.de:443

This will allow you to connect to an untrusted development server with server certificate verification turned on.

To use the certificate with your current Java installation you can import the certificate into the Java keystore.

$ keytool -import -alias datenkollektiv -file datenkollektiv.de.pem -keystore ${JAVA_HOME}/jre/lib/security/cacerts
Enter keystore password:
Owner: CN=wallaby.datenkollektiv.de
....
Trust this certificate? [no]:  yes
Certificate was added to keystore

By the way the default password is changeit :)

Show Comments