Sometimes, it's inevitable that HTTPs is only provided, or you are unable to change third part code to ignore certificate verification.
How to import a certificate into a JVM? Here are some steps.
Step1. Fetch the certificate
openssl s_client -connect youtube.com:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > youtube.crt
Step2. Import the certificate
keytool -import -alias youtube.com -keystore /Users/chliu/.sdkman/candidates/java/current/jre/lib/security/cacerts -file youtube.crt
Enter keystore password:<changeit>
Owner: CN=*.google.com, O=Google LLC, L=Mountain View, ST=California, C=US
Issuer: CN=Google Internet Authority G3, O=Google Trust Services, C=US
Serial number: 3b6e50a1d2080062
Valid from: Tue Jan 29 22:58:00 CST 2019 until: Tue Apr 23 22:58:00 CST 2019
Certificate fingerprints:
MD5: 19:0D:FC:58:69:85:29:59:C4:42:71:05:21:EA:B4:2E
SHA1: E4:A8:7B:F5:3E:9A:17:4A:E2:9F:26:8F:81:23:78:E3:15:08:85:99
SHA256: F7:EE:A9:17:44:FD:5D:E8:09:73:4D:97:85:E4:7E:AE:FA:73:6D:6F:31:36:55:0B:07:1B:15:68:D8:81:A3:C8
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: caIssuers
accessLocation: URIName: http://pki.goog/gsr2/GTSGIAG3.crt
,
accessMethod: ocsp
accessLocation: URIName: http://ocsp.pki.goog/GTSGIAG3
]
]
#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 77 C2 B8 50 9A 67 76 76 B1 2D C2 86 D0 83 A0 7E w..P.gvv.-......
0010: A6 7E BA 4B ...K
]
]
#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.pki.goog/GTSGIAG3.crl]
]]
#5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [1.3.6.1.4.1.11129.2.5.3]
[] ]
[CertificatePolicyId: [2.23.140.1.2.2]
[] ]
]
#6: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
]
#7: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: *.google.com
DNSName: *.android.com
DNSName: *.appengine.google.com
DNSName: *.cloud.google.com
DNSName: *.g.co
DNSName: *.gcp.gvt2.com
DNSName: *.ggpht.cn
DNSName: *.google-analytics.com
DNSName: *.google.ca
DNSName: *.google.cl
DNSName: *.google.co.in
DNSName: *.google.co.jp
DNSName: *.google.co.uk
DNSName: *.google.com.ar
DNSName: *.google.com.au
DNSName: *.google.com.br
DNSName: *.google.com.co
DNSName: *.google.com.mx
DNSName: *.google.com.tr
DNSName: *.google.com.vn
DNSName: *.google.de
DNSName: *.google.es
DNSName: *.google.fr
DNSName: *.google.hu
DNSName: *.google.it
DNSName: *.google.nl
DNSName: *.google.pl
DNSName: *.google.pt
DNSName: *.googleadapis.com
DNSName: *.googleapis.cn
DNSName: *.googlecommerce.com
DNSName: *.googlevideo.com
DNSName: *.gstatic.cn
DNSName: *.gstatic.com
DNSName: *.gstaticcnapps.cn
DNSName: *.gvt1.com
DNSName: *.gvt2.com
DNSName: *.metric.gstatic.com
DNSName: *.urchin.com
DNSName: *.url.google.com
DNSName: *.youtube-nocookie.com
DNSName: *.youtube.com
DNSName: *.youtubeeducation.com
DNSName: *.youtubekids.com
DNSName: *.yt.be
DNSName: *.ytimg.com
DNSName: android.clients.google.com
DNSName: android.com
DNSName: developer.android.google.cn
DNSName: developers.android.google.cn
DNSName: g.co
DNSName: ggpht.cn
DNSName: goo.gl
DNSName: google-analytics.com
DNSName: google.com
DNSName: googlecommerce.com
DNSName: source.android.google.cn
DNSName: urchin.com
DNSName: www.goo.gl
DNSName: youtu.be
DNSName: youtube.com
DNSName: youtubeeducation.com
DNSName: youtubekids.com
DNSName: yt.be
]
#8: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: BB F4 15 80 EC F0 4E F6 58 5A B1 49 4C 82 12 48 ......N.XZ.IL..H
0010: F9 FB 7E 3B ...;
]
]
Step3. Check certificate in keystore
keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts
keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts | grep youtube
Step4. Specify trust store AND PASSWRD
-Djavax.net.ssl.trustStore=$JAVA_HOME/jre/lib/security/cacerts
-Djavax.net.ssl.trustStorePassword=changeit
-Djavax.net.debug=all
If there are some issue that hostname in certificate didn't matched, the steps below can help to confirm the issue.
- Check the Server’s FQDN and make sure this match with the URL configured on the Certificate.
- Wildcard certificate cannot support subdomain. The subdomain also need to create a certificate. How to Fix SSL Common Name Mismatch Error