3

My task is to retrieve emails from an imaps email server using Java so as a client I need to authenticate the email server using an appropriate certificate. It seems however, that this email server is using a self-signed certificate which does not included in the truststore(?) by default. From what I found here, the system properties javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword need to be set. The example is given:

System.setProperty("javax.net.ssl.trustStore","clientTrustStore.key");
System.setProperty("javax.net.ssl.trustStorePassword","qwerty");

My question is how do I obtain this clientTrustStore.key and the related password? Is that something I can generate myself given I know the email server details or is that something that should be provided by the IT department who maintains this email server?

Eugene S
  • 370
  • 2
  • 7
  • 19

2 Answers2

5

The truststore password is not needed to read the truststore.

You will need to create a truststore which is usually done with the keytool utility. You will need to obtain the public certificate from the IMAPS server, which can be done in a number of ways. The openssl package has number of tools that will allow you to save the certificate. Many mail utilities, such as Thunderbird will allow you to export the certificate. You should be able to obtain the certificate by enabling ssl debugging and connecting with a simple class. Once you have this certificate, import it into a new keystore using the keytool utility.

If you are on a secure network you can just set the -Dtrust_all_cert=true property and ignore the truststore issue. This leaves you vulnerable to man-in-the-middle attacks. However, it is a pragmatic work-around for self-signed certificates, if this is a one-time retrieval. You can also do this in your code.

There are related questions that will point you in the right direction:

https://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https https://stackoverflow.com/questions/1219208/is-it-possible-to-get-java-to-ignore-the-trust-store-and-just-accept-whatever

Community
  • 1
BillThor
  • 27,354
  • 3
  • 35
  • 69
  • Thank you very much for your answer. I didn't realize that trusting all is an option and it can definitely be a good solution in my case. – Eugene S May 17 '17 at 05:01
3

You need to obtain the public server certificate (either from the server admin or for instance with openssl s_client -starttls imap -connect imap-server:143) and then you use the java keytool utility to create your own trust store where you can add that certificate and you ship that keystore with your code.

In case the server certificate is signed by an (internal) CA instead of a self signed server certificate you add the CA certificates (e.g. with openssl s_client -starttls imap -showcerts -connect imap-server:143)to your trust store

HBruijn
  • 72,524
  • 21
  • 127
  • 192