Verify Needed Root Certificates Exist in Java Trust Store for Datawire JavaAPI

(1)

Verify Needed Root Certificates Exist in Java Trust

Store for Datawire JavaAPI

Purpose

This document illustrates the steps to check and import (if necessary) the needed root CA certificates in JDK’s trust store, whose proper setup allows Datawire JavaAPI to function properly in the event of Datawire servers’ certificate upgrade to 2048-bit in 2014.

What the needed VeriSign Root CA certificates are

All the following CA root certificates are needed to ensure Datawire JavaAPI working reliably: VeriSign Class 3 Public Primary CA

Class 3 Public Primary Certification Authority (VeriSign Class 3 Public Primary CA) Version = 1

Country = US

Organization = VeriSign, Inc.

Organization Unit = Class 3 Public Primary Certification Authority Serial Number: 3c 91 31 cb 1f f6 d0 1b 0e 9a b8 d0 44 bf 12 be Valid From: Sunday, January 28, 1996 4:00:00 PM

Valid to: Wednesday, August 02, 2028 3:59:59 PM

Certificate SHA1 Thumbprint: a1 db 63 93 91 6f 17 e4 18 55 09 40 04 15 c7 02 40 b0 ae 6b Key Size: RSA(1024 Bits)

Signature Algorithm: sha1RSA

File name in Root package: Class 3 Public Primary Certification Authority VeriSign Class 3 Primary CA – G5

VeriSign Class 3 Public Primary Certification Authority - G5 Version = 3

Country = US

Organization = VeriSign, Inc.

Organizational Unit = VeriSign Trust Network

Common Name = VeriSign Class 3 Public Primary Certification Authority - G5 Serial Number: 18 da d1 9e 26 7d e8 bb 4a 21 58 cd cc 6b 3b 4a

Operational Period: Tue, November 07, 2006 to Wed, July 16, 2036

Certificate SHA1 Fingerprint: 4e b6 d5 78 49 9b 1c cf 5f 58 1e ad 56 be 3d 9b 67 44 a5 e5 Key Size: RSA(2048Bits)

Signature Algorithm: sha1RSA

(2)

To download the VeriSign Root CAs:

1. Go to http://www.verisign.com/support/roots.html and click on the link 'Download a root package for VeriSign Certificates (roots.zip file)'

2. Select 'Save File' 3. Click ‘OK’.

4. Locate the folder where .zip file was saved

5. Extract the .zip file and locate the 'Serial Numbers.txt' file – This will be used to locate the correct folder for each VeriSign Root CA

6. Go to the folder where the Root CA is located

What the needed Equifax Root CA certificate is

EquiFax Secure Certificate Authority

Version: 3

Organization: Equifax Country: US

Serial Number: 35:DE:F4:CF

Validity Period: Sat Aug 22, 1998 to Wed Aug 22, 2018 (GMT)

Certificate Fingerprint (MD5): 67:CB:9D:C0:13:24:8A:82:9B:B2:17:1E:D1:1B:EC:D4

Certificate Fingerprint (SHA-1): D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A Key Length: 1024

(3)

To download the Equifax Root CA:

1. Go to http://www.geotrust.com/resources/root-certificates/ and look for “Root 1 – Equifax Secure Certificate Authority” (exp 8/22/2018).

2. Right Click on “Download – Equifax Secure Certificate Authority” and “Save Target As”.

3. Click Save

(4)

Steps to Verify

1. Get the location of the trust store file (part of Datawire JavaAPI environment): Suppose <java_home> is the location of JDK home directory.

Check file <java_home>/jre/lib/management/management.properties for this line: javax.net.ssl.trustStore=/location/to/trustStore

Then /location/to/trustStore is the location of the trust store file. If the above line is commented out like below:

# javax.net.ssl.trustStore=/location/to/trustStore Then by default the trust store file is located at: <java_home>/jre/lib/security/cacerts

2.

Dump all certificates in the trust store file using JDK’s keytool program:

Suppose the trust store file location identified in step 1. above as “/location/to/trustStore”: $ keytool -list -keystore /location/to/trustStore -v > tmp.store

Note:

--On Windows, the file path should use backslash (“\”) in the file path, so it would be “location\to\trustStore”. --The default password of the preinstalled trust store file cacerts is “changeit”.

As a sample:

This command will dump all the certificates’ details in the temporary file “tmp.store”. Open this file and search for string: (which is the serial number of the needed certificate)

“3c9131cb1ff6d01b0e9ab8d044bf12be” – to find the root certificate 1 “VeriSign Class 3 Public Primary CA”; “18dad19e267de8bb4a2158cdcc6b3b4a” – to find the root certificate 2 “VeriSign Class 3 Primary CA – G5”; “35def4cf” – to find the root certificate 3 “EquiFax Secure Certificate Authority”.

If this could be found, then compare all the other details like subject, issuer, version, valid period … etc.

against the details described above (in the section “what the needed certificates are”). If all three

matches could be found, then your store is good and there’s nothing to be done. End.

If any one, two or all of them could not be found, or details do not match, then go to next step (step 3)

to import missing certificate(s).

3.

Since importing a CA cert will change the system file, using admin privilege to run the command as below(on Windows, run a command prompt as admin), assuming the downloaded root CA certificate is in file PCA-3.pem:

(5)

The above output indicates the root CA certificate has been successfully imported (Step 2 described above could be repeated to view the imported certificates). The above example imports the 1st root certificate (mentioned in section “What the needed certificates are”), which could be repeated to other root certificates that might be missing.