Java keystore issues

If you get a javax.net.ssl.SSLHandshakeException while trying to make a secure network connection (secure socket over SSL/SSH or HTTPS connection) is probably because of one the certs on the URL you're trying to hit is missing from your Java keystore. If you're doing development and you're hitting a development environment your problem is most likely due to a self signed certificate.

In these cases you need to use keytool to import this certificate.

Steps to perform:

1. Invoke the URL using your browser and save the certs of all levels in DER format
2. Save all these DER files somewhere
3. Invoke keytool: keytool -importcert -alias <myalias> -file <path to my file>.der

So far it's a piece of cake, and if you're a somewhat experience Java engineer you most probably did these steps.

Now if you're working for a big company your whole development environment is well defined and most likely the Java version to use compiling your projects are also centrally controlled and you're not using the one that is installed on your workstation or laptop. What I've discovered that keytool doesn't really give a damn about your JAVA_HOME or path settings. Meaning it will choose a key store on your machine using a mysterious algorithm (aka. random) and it will never be the one you expect...

So you have to know where your key store is actually located. And that is your JAVA_HOME/jre/lib/security/cacerts file.

So in order to make keytool use the right key store the above mentioned command has to be altered accordingly:

keytool -importcert -alias <myalias> -file <path to my file>.der -keystore <JAVA_HOME>/jre/lib/security/cacerts

So now using the java under your JAVA_HOME will not cause any javax.net.ssl.SSLHandshakeException end you can live happily ever after!