Obtain valid SSL/TLS certificates for accessing the target host (when the certificate cannot be obtained directly)

Currently, many websites or services are implemented based on SSL and can be accessed only after certificates are downloaded and installed. If it can provide download, of course there are any problems.

However, if you do not have permission to download and it is not a CA certificate, it is only a self-Signed server certificate. Only know its port and address. If you forcibly access it through a program, you may get the following error:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target        at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)

Unexpectedly, Sun provides a tool program that can be called by the program to obtain the server certificate.

Here we take a part of ticket purchase in 12306 as an example:

E: \ learn \ Security> JAVA testfetchingcertDynamic.12306.cnLoading keystore c: \ shared \ jdk1.6.0 _ 18 \ JRE \ Lib \ SECURITY \ cacerts... opening connection to dynamic.12306.cn: 443... starting SSL handshake...javax.net. SSL. sslhandshakeexception: Sun. security. validator. validatorexception: pkix path building failed: Sun. security. provider. certpath. suncertpathbuilderexception: unable to find valid certification path to requested target at com.sun.net. SSL. internal. SSL. alerts. Getsslexception (alerts. java: 174) at com.sun.net. SSL. internal. SSL. sslsocketimpl. fatal (sslsocketimpl. java: 1611) at com.sun.net. SSL. internal. SSL. handshaker. fatalse (handshaker. java: 187) at com.sun.net. SSL. internal. SSL. handshaker. fatalse (handshaker. java: 181) at com.sun.net. SSL. internal. SSL. clienthandshaker. servercertificate (clienthandshaker. java: 1035) at com.sun.net. SSL. internal. SSL. clienthandshaker. P Rocessmessage (clienthandshaker. java: 124) at com.sun.net. SSL. internal. SSL. handshaker. processloop (handshaker. java: 516) at com.sun.net. SSL. internal. SSL. handshaker. process_record (handshaker. java: 454) at com.sun.net. SSL. internal. SSL. sslsocketimpl. readrecord (sslsocketimpl. java: 884) at com.sun.net. SSL. internal. SSL. sslsocketimpl. performinitialhandshake (sslsocketimpl. java: 1112) at com.sun.net. SSL. internal. SSL. sslsocketimpl. starthandshake (sslsocketimpl. java: 1139) at com.sun.net. SSL. internal. SSL. sslsocketimpl. starthandshake (sslsocketimpl. java: 1123) at installcert. main (installcert. java: 97) caused by: Sun. security. validator. validatorexception: pkix path building failed: Sun. security. provider. certpath. suncertpathbuilderexception: unable to find valid certification path to requested target at Sun. security. Validator. pkixvalidator. dobuild (pkixvalidator. java: 294) at Sun. security. validator. pkixvalidator. enginevalidate (pkixvalidator. java: 200) at Sun. security. validator. validator. validate (validator. java: 218) at com.sun.net. SSL. internal. SSL. x509trustmanagerimpl. validate (x509trustmanagerimpl. java: 126) at com.sun.net. SSL. internal. SSL. x509trustmanagerimpl. checkservertrusted (x509trustmanagerimpl. java: 209) Installcert $ savingtrustmanager. checkservertrusted (installcert. java: 192) at com.sun.net. SSL. internal. SSL. clienthandshaker. servercertificate (clienthandshaker. java: 1027 )... 8 morecaused by: Sun. security. provider. certpath. suncertpathbuilderexception: unable to find valid certification path to requested target at Sun. security. provider. certpath. suncertpathbuilder. enginebuild (suncertpathbuilder. java: 174) At java. security. cert. certpathbuilder. build (certpathbuilder. java: 238) at Sun. security. validator. pkixvalidator. dobuild (pkixvalidator. java: 289 )... 14 moreserver sent 2 certificate (s): 1 Subject Cn = dynamic.12306.cn, ou = railway Customer Service Center, O = sinorail Certification Authority, c = cn issuer Cn = srca, O = sinorail Certification Authority, c = cn sha1 F6 2E C7 E4 12 D1 AA B3 F0 7f AC B7 F7 20 E6 77 da E5 B9 B7 MD5 CB 3 B 65 19 Fe B4 88 28 5B 0C 81 F8 BC EF Ba 93 2 subject Cn = srca, O = sinorail Certification Authority, c = cn issuer Cn = srca, O = sinorail Certification Authority, C = cn sha1 AE 3f 2E 66 D4 8f C6 BD 1D F1 31 E8 9d 76 8d 50 5d F1 43 02 MD5 60 13 24 F0 9A E9 88 49 58 1B 37 C9 A1 90 57 24 enter certificate to add to trusted keystore or 'q' to quit: [1] [[version: V3 subject: Cn = dynamic.12306.cn, ou = railway Customer Service Center, O = Sinorail Certification Authority, c = cn signature algorithm: sha1withrsa, oId = 1.2.840.113549.1.1.5 key: Sun RSA public key, 1024 bits modulus: 131877243788581441455453893594344470200831819323761004983028382908123170744716274924195017274254124953756531355671448830163684168356232189427657515240155383489455640758012703375457674009273923267881490333363099952573578023750920902134321577573362887935276 807781022292107338956095769504324054527406579242046053 public exponent: 65537 validity: [from: Wed Jun 01 17:56:35 CST 2011, to: Sat May 31 17:56:35 CST 2014] issuer: Cn = srca, O = sinorail Certification Authority, C = cn serialnumber: [205cfb9e 4a12b557] certificate extensions: 3 [1]: objectid: 2.5.29.14 criticality = falsesubjectkeyidentifier [keyidentifier [0000: 9C 0f Fe C1 B2 9d 07 6D 9f 88 EC E1 77 3D DF 41 ....... M .... W =. a0010: 1D 4E 8e 43. n. c] [2]: objectid: 2.5.29.35 criticality = falseauthoritykeyidentifier [keyidentifier [0000: 79 5E B6 77 B7 E2 52 83 43 ed C7 51 88 4C 63 85 y ^. W .. r. c .. q. lc.0010: 2C 00 43 58 ,. CX] [3]: objectid: 2.5.29.15 criticality = falsekeyusage [digitalsignature secret] unparseable certificate extensions: 1 [1]: objectid: 2.5.29.31 criticality = Priority Crldistributionpoints extension due tojava. Io. ioexception: Invalid URI name: LDAP: // 210.75.98.102: 390/CN = crl3, ou = CRL, O = sinorail Certification Authority, c = cn? Certificaterevocationlist? Base? Objectclass = idaperson0000: 30 81 90 30 81 8d A0 81 8A A0 81 87 86 81 84 6C 0 .. 0 ........... l0010: 64 61 70 3A 2f 32 31 30 2E 37 35 2E 39 38 2E DAP: // 210.75.98.0020: 31 30 32 3A 33 39 30 2f 63 6e 3D 63 72 6C 33 2C 102: 390/CN = crl3, 0030: 4f 55 3D 43 52 4C 2C 4f 3D 53 69 6e 6f 72 61 69 ou = CRL, O = sinorai0040: 6c 20 43 65 72 74 69 66 63 61 74 69 6f 6e 20 L certification0050: 41 75 74 68 6f 72 69 74 7 9 2C 43 3D 43 4E 3f 63 authority, c = cn? C0060: 65 72 74 69 66 63 61 74 65 52 65 76 6f 63 61 ertificaterevoca0070: 74 69 6f 6e 4C 69 73 74 3f 62 61 73 65 3f 6f 62 tionlist? Base? Ob0080: 6a 65 63 74 63 6C 61 73 73 3D 69 64 61 50 65 72 jectclass = idaper0090: 73 6f 6e son] algorithm: [sha1withrsa] Signature: 0000: AC 2f fa 07 7b 8f 92 8B 51 2D A4 8A E3 Fe AA 56. /...... q-.....V0010: 16 ad 38 DC E0 87 4B ed 47 05 B4 4B D6 4E 73 5E .. 8... k. g .. k. NS ^ 0020: 19 66 8B 2C BB 1D 7b 6a A5 23 E1 8e 79 25 dd 9D. F .,... j. #.. Y % .. 0030: DF 8f 6D F0 5C E6 79 36 41 0f 0a af 90 72 D5 CD .. m. \. y6a .... R .. 0040: B1 1D 20 dB 6e 27 8d 56 42 29 8d 18 E8 D3 6D ef... n '. VB ).... m.0050: 99 EE 83 7b 68 16 49 00 A2 B9 FD 82 9e 76 07 A3 .... h. I ...... V .. 0060: 45 60 C7 D6 04 68 14 39 1f 8d 89 EA 4C 5C 38 8C e '... h.9 .... l \ 8.0070: 9A BD 18 FC dd 9e bc ea 27 DC C7 05 5A 0d 41 F5 ........ '... z. a.] added certificate to keystore 'jssecacerts' using alias 'dynamic .12306.cn-1 'E: \ learn \ Security>

In this way, all the certificates can be exported:

Export to visible text: (the password is the default changeit)

E: \ learn \ Security> keytool-export-alias dynamic.12306.cn-1-keystore jssecacerts-RFC-file 12306. Cer enter the keystore password: authentication stored in the file <12306.cer>

E:\learn\security>cat 12306.cer-----BEGIN CERTIFICATE-----MIIDITCCAoqgAwIBAgIIIFz7nkoStVcwDQYJKoZIhvcNAQEFBQAwRzELMAkGA1UEBhMCQ04xKTAnBgNVBAoTIFNpbm9yYWlsIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MQ0wCwYDVQQDEwRTUkNBMB4XDTExMDYwMTA5NTYzNVoXDTE0MDUzMTA5NTYzNVowbjELMAkGA1UEBhMCQ04xKTAnBgNVBAoTIFNpbm9yYWlsIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRkwFwYDVQQLHhCUwY3vW6JiN2cNUqFOLV/DMRkwFwYDVQQDExBkeW5hbWljLjEyMzA2LmNuMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7zKdfpqBX5VlDwU7QLfV3e3+J2c10UpRbexwhFuLCsGGxFsO7e5XHU+cXMv2EcZ1D8la2go4bkOUFylvJ/odu5jx8968kvcUHwa67F52SU9QqHpPekVI8VBJwSdd6iv9QY2P8l7fI9hw8bh9bsrLN1sqeWmnKB9INOxqAAYUSZQIDAQABo4HuMIHrMB8GA1UdIwQYMBaAFHletne34lKDQ+3HUYhMY4UsAENYMIGbBgNVHR8EgZMwgZAwgY2ggYqggYeGgYRsZGFwOi8vMjEwLjc1Ljk4LjEwMjozOTAvY249Y3JsMyxPVT1DUkwsTz1TaW5vcmFpbCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSxDPUNOP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RjbGFzcz1pZGFQZXJzb24wCwYDVR0PBAQDAgbAMB0GA1UdDgQWBBScD/7Bsp0HbZ+I7OF3Pd9BHU6OQzANBgkqhkiG9w0BAQUFAAOBgQCsL/oHe4+Si1EtpIrj/qpWFq043OCHS+1HBbRL1k5zXhlmiyy7HXtqpSPhjnkl3Z3fj23wXOZ5NkEPCq+QctXNsR0g224njVZCKY0Y6NNt75nug3toFkkAorn9gp52B6NFYMfWBGgUOR+NiepMXDiMmr0Y/N2evOon3McFWg1B9Q==-----END CERTIFICATE-----

In this way, you can use the above certificate to establish an SSL connection to the target host at any time.