A. You generally need a truststore that points to a file containing trusted certificates, no matter whether you are implementing the server or the client side. You may or may not need a keystore. The keystore points to a file containing private key. You need a keystore if
- you are implementing the server side of the protocol, or
- you are implementing the client side and you need to authenticate yourself to the server.
STEP 1:
The first step is to get hold of the certificates. You could export the certificates from Google chrome or Firefox. If you click the "view site" information in Google Chrome, it's possible to save to file any cert in the chain. In Firefox, you could try something like
Click on "I understand the Risks" and then on "Add exception". You will be getting a screen as shown below.
Click on "Get certificate" and then "View". On the 2nd tab, named "details" you will see an export button to export the certificate.
Save the file as shown above to be imported into your truststore as explained below.
STEP 2:
To create a working truststore, it needs to contain the certs to trust, as well as the certs in the parent chain. You can import certificates with the keytool that ships with Java.
Import parent certificate
keytool -importcert -alias myservices -file mydomain.crt -keystore truststore.jks
import another linked certificate
keytool -importcert -alias coreservices -file mydomain2.crt -keystore truststore.jks
Note: When prompted enter a password and answer yes to trust this certificate.
to view the certificates
keytool -list -keystore truststore.jks
STEP 3:
Use the trust store as shown below.
java -Djavax.net.ssl.trustStore=C:\whatever\truststore.jks -Djavax.net.ssl.trustStorePassword=changeit
Q. How do you go about resolving any SSL related installation issues?
A. There are several SSL tools that are available that can help you determine SSL problems and get your servers running SSL properly.
OpenSSL is an open source implementation of the SSL protocol, and by far the most versatile SSL tool.