Skip to Content
Technical Articles
Author's profile photo Fariha Kazi

Now get target server root certificate in the comfort of your own browser without getting your local IP white-listed

 

My obsession with this new way of hitting the PI server using servlets took new turn when a brilliant colleague of mine wanted me to program a way to get target root certificate without having to ask them for or without running a command on your cloud which is harder to access.

And now get the target server root certificates without getting your local IP white-listed ,in the comfort of your own browser, through PI server. (Of course, your server should be able to access the target)

It takes the URL as a query parameter  and will print out the full chain of certificates and also write the root certificate which you can trust in your keystore  in. CER format

Here is  a sample for google

 

Scroll down to get  X509 Certificate as .CER:

 

Here is the snippet which does the job for you.

To build the servlet you can always refer to SICF on Pi/PO

To enable logging you can refer to  Logging Incoming Requests

protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {

		try 
		{
			String url = request.getParameter("url");
			final String LINE_SEPARATOR = System.getProperty("line.separator");
			
			
			HttpsURLConnection connection = (HttpsURLConnection) new URL(null,url,new sun.net.www.protocol.https.Handler()).openConnection();
			connection.setRequestMethod("GET");
			connection.connect();
			
			Certificate[] certs = connection.getServerCertificates();
			for (Certificate cert : certs) {
			 
			  
			  response.getWriter().append("Certificate is : " + cert);
			}
			 
			 if (certs == null || certs.length == 0 || (!(certs[0] instanceof X509Certificate))) {
				    throw new SSLPeerUnverifiedException("No server's end-entity certificate");
				  }
			 
			 X509Certificate x509cert = ((X509Certificate) certs[0]);
			
			 Base64.Encoder encoder = Base64.getMimeEncoder(64, LINE_SEPARATOR.getBytes());
			 String cert_begin = "-----BEGIN CERTIFICATE-----\n";
			 String end_cert = "\n-----END CERTIFICATE-----";
			
			 byte[] derCert = x509cert.getEncoded();
			 
			 String pemCertPre = new String(encoder.encode(derCert));
			 String pemCert = cert_begin + pemCertPre + end_cert;
			 
			 
			 
			 response.getWriter().append("X509 Certificate in encoded form : \n").append(pemCert);
			 
		} catch (Exception e) {
			// TODO Auto-generated catch block
			response.getWriter().append("Exception occured : ").append(e.getMessage() +" :");
			
			e.printStackTrace(response.getWriter());
		}
		
		
	}

 

if the below snippet shows error, on the underlined part , you need to set the access restrictions to Warning as shown in the next picture.

 

The import section:

 

This code was tested by my colleague and for him the formatting did not render properly on Microsoft edge but worked on Firefox and Chrome.

Disclaimer : We are not having this for productive use and so should you.

 

Regards

Fariha

Assigned Tags

      2 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Jens Schwendemann
      Jens Schwendemann

      Not sure if this needs living on a PI server but I feel your pain with outgoing SSL inspection by the corporate proxy server. However, there ought to be a multitude of options without needing a servlet on a PI server, e.g. https://stackoverflow.com/questions/7885785/using-openssl-to-get-the-certificate-from-a-server

      Appreciate your dedication, though 🙂

      Author's profile photo Fariha Kazi
      Fariha Kazi
      Blog Post Author

      Thanks Jens, I am fully aware of this openssl method  and many other options like the curl command that we can use to get the certificates (for which you cannot use your private laptop as it might not be whitelisted at the target server).

      But this approach has a different use case, and caters to a product based environment for people  who has to frequently deal with the connectivity requests every now and then for their growing base of partners, it can also be helpful for migration projects where you move to a new cloud server -difficult/restricted to access .

      I would say this was not a result of dedication but rather a need and indeed necessity is the mother of invention. 🙂

      Regards