Sunday, September 1, 2013

Adding Godaddy G2 root cert to JDK 7

Java 7 doesn't recognise Godaddy's latest root certificate.

$ java -version
java version "1.7.0_10-ea"
Java(TM) SE Runtime Environment (build 1.7.0_10-ea-b16)
Java HotSpot(TM) 64-Bit Server VM (build 23.6-b04, mixed mode)

Trying to connect to a site signed with the root certificate gives an exception.

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...

Until Java 7 supports the certificate natively, it's necessary to install the certifate manually. I installed both the root and intermediate certs, but it's probably only necessary to install the root cert.

wget -O gdroot-g2.crt 'https://certs.godaddy.com/anonymous/repository.pki?streamfilename=gdroot-g2.crt&actionMethod=anonymous%2Frepository.xhtml%3Arepository.streamFile%28%27%27%29&cid=1601132'
wget -O gdig2.crt 'https://certs.godaddy.com/anonymous/repository.pki?streamfilename=gdig2.crt&actionMethod=anonymous%2Frepository.xhtml%3Arepository.streamFile%28%27%27%29&cid=1601132'

export JAVA_HOME=/Library/Java/JavaVirtualMachines/jdk1.7.0_10.jdk/Contents/Home
sudo $JAVA_HOME/bin/keytool -import -file gdroot-g2.crt -alias gdrootg2 -storepass changeit -trustcacerts -keystore ${JAVA_HOME}/jre/lib/security/cacerts
sudo $JAVA_HOME/bin/keytool -import -file gdig2.crt -alias gdig2 -storepass changeit -trustcacerts -keystore ${JAVA_HOME}/jre/lib/security/cacerts

Thanks to Dave Rose.