Add Certificat to JAVA application


#1

Hi,

I am using Let’s Encrypt for SSL on my server for my website.
A third party (Boxtal) is trying to connect via their JAVA apps but it receives a “Handshake failure”.
Boxtal is using an old JAVA 7u21.
From what I have read, Boxtal needs to declare the root certificat somewhere but they do not know what to add, where and how…
Can someone help, please ?
I am with Let’s Encrypt Authority X3.
Thank you,
Fred.


#2

Java7 update 111 and up supports LE. This version is paywalled. Java8u101 and up supports it, and is a relatively painless upgrade, compared to coming from 1.4 or below. You should strongly recommend your client do this, and refuse to support them if they don’t, because Oracle certainly refuses to support those ancient versions of Java.

Java7u21 is 6 years old and full of dozens of easily-exploitable vulnerabilities. You should think twice about even allowing such a client to connect.

That said, you can use keytool to create a custom trust bundle. See https://drissamri.be/blog/2017/02/22/trusting-lets-encrypt-java/ The problem is that while getting one workstation to trust is easy, rolling it out to an organization and keeping it in sync with Java releases is incredibly difficult. You can pass this on to your client, but IMHO they need to upgrade ASAP.


#3

Thank you ! Your answer is very helpful.
I will try first to have them create the bundle. But I do not know which certificat to add ? In fact I am lost in Root, intermediate and so on…

Can you help ?

Thank you,

Fred.


#4

The only certificate you need right now is the DST Root CA X3:

https://crt.sh/?d=8395

If you think you’ll still be using this outdated Java version in 2+ years you may also want to import the ISRG Root X1:

https://letsencrypt.org/certs/isrgrootx1.pem

If you just want to add these certificates to the machine and not the application you can use the Java Control Panel and save yourself some CLI work:

https://docs.oracle.com/javase/7/docs/technotes/guides/jweb/jcp/jcp.html#security

(I’m assuming the machine is running Windows or macOS because it is using an old Java 7. If it is Linux you really should be using the secure OpenJDK 7 your distribution provides.)

If you want to embed the certificate within your Java application so others it is distributed to won’t need to go to the Java Control Panel, you will need to use keytool as @SilverbackNet linked to.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.