Install 52°North Certificate in Java


Introduction

52°North does not offer an SSL-certificate (for now) which is provided by external party trust agencies, like Thawte or Oracle (Java installations also have a keystore providing known and trusted certificates). If Maven fails complaining certificate issues, or it just cannot download 52n artifacts (which should be accessible via browser) you have two possibilities:
  1. Switch repository protocols from https:// to http://
  2. (recommended) follow the next steps to install the 52n certificate into your local Java keystore

Steps to install 52°North Certificate

52°North provides a root certificate which you can manually review and install locally (which tells you system that you checked it and trust us). For doing that take the following steps:
  1. Browse to https://52north.org/maven/
  2. Click in Addressbar to show the certificate info
  3. Download the certificate (remove *.), or download the attached one
  4. Ensure %JAVA_HOME%\bin is on your path and %JAVA_HOME% is set to the path used in the command below, e.g. \...\jdk1.7.0_xx\
  5. Open Command Line as Administrator
  6. Change dir to path where you downloaded certificate
  7. execute the following (default password should be 'changeit'):
keytool -import -alias 52north_ssl_yyyy-mm -file 52north.org.crt -keystore "c:\Program Files\Java\jdk1.7.0_10\jre\lib\security\cacerts"

Adapt the path to your trusted keystore if neccessary - most probably you only have to change the version number after jdk. If you have %JAVA_HOME% set to a JDK, you can also use the shortened command
keytool -import -alias 52north_ssl_yyyy-mm -file 52north.org.crt -keystore "%JAVA_HOME%\jre\lib\security\cacerts".

Running the following command lets you check if everything worked fine:
keytool -list -keystore "c:\Program Files\Java\jdk1.7.0_10\jre\lib\security\cacerts" -alias 52north_ssl_yyyy-mm

The output should be as follows (the date is the date you imported the certificate):
52north_ssl_yyyy-mm, 08.01.2013, trustedCertEntry,
Zertifikat-Fingerprint (SHA1): 80:31:AB:2F:00:F4:DA:82:D1:09:00:BE:33:E3:E7:A3

HELP On linux systems use sudo for system wide installation and $JAVA_HOME and not %JAVA_HOME%.
HELP Replace yyyy-mm with the end of life of this certificate.

Notes

DH keypair

I read that people complained about getting a
   java.lang.RuntimeException: Could not generate DH keypair

This may be caused due to a Java 7 issue unable to handle key which were generated with more than 1024bits .. Anyway, switching back to Java 6 did the trick for me. Alternatively, you may want to use the leight encryption implementation of BouncyCastle (AFAIK replacing the Java encryption libs):

  • JAVA_HOME in /etc/environment:
    export JAVA_HOME=/usr/lib/jvm/java-8-oracle
  • Bouncy Castle JCE provider:
    • *.jars in /usr/lib/jvm/java-8-oracle/jre/lib/ext/
      • bcprov-ext-jdk15on-154.jar
      • bcprov-jdk15on-154.jar
    • Configuration in /usr/lib/jvm/java-8-oracle/jre/lib/security/java.security:
      [...]
       65 #
       66 # List of providers and their preference orders (see above):
       67 #
       68 security.provider.1=org.bouncycastle.jce.provider.BouncyCastleProvider <-- added with priority 1
       69 security.provider.2=sun.security.provider.Sun
       70 security.provider.3=sun.security.rsa.SunRsaSign
      [...]
  • echo deb http://ftp.de.debian.org/debian/ squeeze non-free >> /etc/apt/sources.list
  • apt-get update; apt-get install sun-java6-jdk
  • update-alternatives --config java to Sun Java (some project need sun-java to compile)

2013-12-18 Upadate: This issue is fixed in Java jdk1.7.0_21 (source)

2016-04-26 Update: Current key size used by 52North is 4096 and not supported by JDK < 1.9.

SunCertPathBuilderException or HTTP 401

The following errors can occur if you try to publish a Maven site to the WebDAV and do not have the certificates installed.
# Transfer error: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target



[ERROR] Failed to execute goal org.apache.maven.plugins:maven-site-plugin:2.3:deploy (default-cli) on project ...: Error uploading site: Failed to transfer file: ... Return code is: 401 -> [Help 1]

Make sure that which Java version is on your path (this is likely be used by Maven), because this must be the one where the certificate is installed to. If you have multiple JDKs/JREs, make sure both JAVA_HOME, Eclipse (in Preferences > Java > Installed JREs > Standard VM) and Maven (based on JAVA_HOME and/or Eclipse default..) use the same JRE and you installed the certificate to that JRE's keystore.

Modifications to install the enviroCar.org certifikate

  • Step 1 of the above workflow: Navigate to enviroroCar.org instead.
  • Step 7: Replace 52north_ssl with envirocar_ssl.

Topic revision: r23 - 26 Apr 2016 16:00:17, EikeJuerrens - This page was cached on 20 Jul 2016 - 21:30.

This site is powered by FoswikiCopyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Wiki? Send feedback