Technical Articles
Now get target server root certificate in the comfort of your own browser without getting your local IP white-listed
My obsession with this new way of hitting the PI server using servlets took new turn when a brilliant colleague of mine wanted me to program a way to get target root certificate without having to ask them for or without running a command on your cloud which is harder to access.
And now get the target server root certificates without getting your local IP white-listed ,in the comfort of your own browser, through PI server. (Of course, your server should be able to access the target)
It takes the URL as a query parameter and will print out the full chain of certificates and also write the root certificate which you can trust in your keystore in. CER format
Here is a sample for google
Scroll down to get X509 Certificate as .CER:
Here is the snippet which does the job for you.
To build the servlet you can always refer to SICF on Pi/PO
To enable logging you can refer to Logging Incoming Requests
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
try
{
String url = request.getParameter("url");
final String LINE_SEPARATOR = System.getProperty("line.separator");
HttpsURLConnection connection = (HttpsURLConnection) new URL(null,url,new sun.net.www.protocol.https.Handler()).openConnection();
connection.setRequestMethod("GET");
connection.connect();
Certificate[] certs = connection.getServerCertificates();
for (Certificate cert : certs) {
response.getWriter().append("Certificate is : " + cert);
}
if (certs == null || certs.length == 0 || (!(certs[0] instanceof X509Certificate))) {
throw new SSLPeerUnverifiedException("No server's end-entity certificate");
}
X509Certificate x509cert = ((X509Certificate) certs[0]);
Base64.Encoder encoder = Base64.getMimeEncoder(64, LINE_SEPARATOR.getBytes());
String cert_begin = "-----BEGIN CERTIFICATE-----\n";
String end_cert = "\n-----END CERTIFICATE-----";
byte[] derCert = x509cert.getEncoded();
String pemCertPre = new String(encoder.encode(derCert));
String pemCert = cert_begin + pemCertPre + end_cert;
response.getWriter().append("X509 Certificate in encoded form : \n").append(pemCert);
} catch (Exception e) {
// TODO Auto-generated catch block
response.getWriter().append("Exception occured : ").append(e.getMessage() +" :");
e.printStackTrace(response.getWriter());
}
}
if the below snippet shows error, on the underlined part , you need to set the access restrictions to Warning as shown in the next picture.
The import section:
This code was tested by my colleague and for him the formatting did not render properly on Microsoft edge but worked on Firefox and Chrome.
Disclaimer : We are not having this for productive use and so should you.
Regards
Fariha
Not sure if this needs living on a PI server but I feel your pain with outgoing SSL inspection by the corporate proxy server. However, there ought to be a multitude of options without needing a servlet on a PI server, e.g. https://stackoverflow.com/questions/7885785/using-openssl-to-get-the-certificate-from-a-server
Appreciate your dedication, though 🙂
Thanks Jens, I am fully aware of this openssl method and many other options like the curl command that we can use to get the certificates (for which you cannot use your private laptop as it might not be whitelisted at the target server).
But this approach has a different use case, and caters to a product based environment for people who has to frequently deal with the connectivity requests every now and then for their growing base of partners, it can also be helpful for migration projects where you move to a new cloud server -difficult/restricted to access .
I would say this was not a result of dedication but rather a need and indeed necessity is the mother of invention. 🙂
Regards