Skip to content

Instantly share code, notes, and snippets.

@AbuCarlo

AbuCarlo/HowToCreateATruststore.md

Created June 23, 2019 18:18
Show Gist options
  • Save AbuCarlo/301e528507b4c02f62672e5dd0b260f0 to your computer and use it in GitHub Desktop.
Save AbuCarlo/301e528507b4c02f62672e5dd0b260f0 to your computer and use it in GitHub Desktop.
Download ZIP
Creating a Truststore for Deployed App
Raw
HowToCreateATruststore.md

How to Create a Truststore for Deployed Applications

If your service is going to call other services in CapitalOne, esp. the DevEx gateway, your JVM will have to trust hosts within capitalone.com. The usual way that devs do this is simply to get the Capital One root cert from another dev, and import it into their $JAVA_HOME.../cacerts. This is unwise for EC2 instances. Your cacerts is probably cluttered with other certs, and for deployment, you'd really like know exactly what you're doing, not throw files onto an instance and hope they work.

The better practice would be to create a truststore that has no more information in it than your application needs. Create an empty truststore:

[pwg947@8c8590bb05f2 Trust 15:29:23] $ keytool -genkey -keyalg RSA -keystore truststore.jks -keysize 2048

If your Java code can already connect to DevEx, it's because your JDK already trusts it. A 400 here means that you got through to the target. Groovy is compiled to bytecode, and runs in a JVM.

[pwg947@8c8590bb05f2 Trust 15:17:57] $ !507
groovy -e '"https://api-it.cloud.capitalone.com/oauth2/token".toURL().text'
Caught: java.io.IOException: Server returned HTTP response code: 400 for URL: https://api-it.cloud.capitalone.com/oauth2/token
java.io.IOException: Server returned HTTP response code: 400 for URL: https://api-it.cloud.capitalone.com/oauth2/token
	at script_from_command_line.run(script_from_command_line:1)

This will not work if you substitute your new, empty truststore:

[pwg947@8c8590bb05f2 Trust 15:19:46] $ groovy -Djavax.net.ssl.trustStore=truststore.jks -e '"https://api-it.cloud.capitalone.com/oauth2/token".toURL().text'
Caught: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at script_from_command_line.run(script_from_command_line:1)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	... 1 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	... 1 more

I downloaded the .crt file from https://gist.github.com/drmalex07/40c825b5ad825727d2f2, edited it in vi, and wrote out only the first certificate. I can't explain that. Now I imported it:

[pwg947@8c8590bb05f2 Trust 15:30:35] $ keytool -importcert -alias capitalone-sha2 -file sha2.crt -keystore truststore.jks

And now my JVM trusts the target, based on this cert:

[pwg947@8c8590bb05f2 Trust 15:31:27] $ groovy -Djavax.net.ssl.trustStore=truststore.jks -e '"https://api-it.cloud.capitalone.com/oauth2/token".toURL().text'
Caught: java.io.IOException: Server returned HTTP response code: 400 for URL: https://api-it.cloud.capitalone.com/oauth2/token
java.io.IOException: Server returned HTTP response code: 400 for URL: https://api-it.cloud.capitalone.com/oauth2/token
	at script_from_command_line.run(script_from_command_line:1)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment