4.2.3. Certificates in JSSE

Basic features

Applications in ExtraNet are secured by a server-side certificate that was created by a public certification authority.

We recommend importing the root certification authority’s (Root CA) certificate.

To identify the certificate, open your browser and go to:

https://extranet.bundesbank.de (live environment), or;
https://extranet-t.bundesbank.de (test environment).

and call up the necessary information through the internet options.

Determining the keystore used

The keystore used in the Java application can be determined as follows:

Step	Action
1	Call up the JSSE application with the debug option as follows: java -Djavax.net.debug.=ssl <application name> Result: The filename including the absolute path information of the keystore used is reproduced in the first lines of the output. Note: Further details are available in the JSSE reference guide: http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html

Step

Action

Call up the JSSE application with the debug option as follows:

java -Djavax.net.debug.=ssl <application name>

Result: The filename including the absolute path information of the keystore used is reproduced in the first lines of the output.

Note: Further details are available in the JSSE reference guide:

http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html

Importing the certificate using Microsoft Internet Explorer

The relevant certificate for the root CA can be imported to the keystore using Microsoft Internet Explorer as follows:

Step	Action
1	Open Microsoft Internet Explorer.
2	Go to Tools -> Internet options -> “Content” tab -> “Certificates” button -> “Trusted Root Certification Authorities” tab. Select the application’s current root certificate from the list and export it in the format “Base64 encoded X.509”. Result: The certificate is exported in a Base64 encoded format. Note: Once the root CA certificate has been identified, it can also be downloaded from the relevant CA’s internet site and imported into your automated client keystore.
3	Import the certificate with the JDK tool to the Java keystore as follows: keytool -import -file "d:\jsse\tc.cer" – keystore"D:\jdk1.4\jre\lib\security\cacerts” Note: The default password is “changeit”. If no import takes place, JSSE generates the following error message: “untrusted server cert chain”

Step

Action

Open Microsoft Internet Explorer.

Go to Tools -> Internet options -> “Content” tab -> “Certificates” button -> “Trusted Root Certification Authorities” tab. Select the application’s current root certificate from the list and export it in the format “Base64 encoded X.509”.

Result: The certificate is exported in a Base64 encoded format.

Note: Once the root CA certificate has been identified, it can also be downloaded from the relevant CA’s internet site and imported into your automated client keystore.

Import the certificate with the JDK tool to the Java keystore as follows:

keytool -import -file "d:\jsse\tc.cer" –

keystore"D:\jdk1.4\jre\lib\security\cacerts”

Note: The default password is “changeit”.

If no import takes place, JSSE generates the following error message:

“untrusted server cert chain”