How to get server certificate chain then verify it's valid and trusted in Java

Question

I need to create an Https connection with a remote server then retrieve and verify the certificate.

I have established the connection fine:

try {  
          


        

Answer 1

Quick googling brought me to this example using BouncyCastle. I think it better answers the question. http://www.nakov.com/blog/2009/12/01/x509-certificate-validation-in-java-build-and-verify-chain-and-verify-clr-with-bouncy-castle/

Answer 2

The method you want is getServerCertificates, not getServerCertificateChain. There is some nice sample code here.

---

EDIT

Added some sample code of my own. Good starting point for you. Don't forget to look at the Javadocs for HttpsURLConnection and X509Certificate.

import java.net.URL;
import java.security.cert.Certificate;
import java.security.cert.CertificateExpiredException;
import java.security.cert.X509Certificate;

import javax.net.ssl.HttpsURLConnection;

public class TestSecuredConnection {

    /**
     * @param args
     */
    public static void main(String[] args) {
        TestSecuredConnection tester = new TestSecuredConnection();
        try {
            tester.testConnectionTo("https://www.google.com");
        } catch (Exception e) {
            e.printStackTrace();
        }
    }

    public TestSecuredConnection() {
        super();
    }

    public void testConnectionTo(String aURL) throws Exception {
        URL destinationURL = new URL(aURL);
        HttpsURLConnection conn = (HttpsURLConnection) destinationURL
                .openConnection();
        conn.connect();
        Certificate[] certs = conn.getServerCertificates();
        for (Certificate cert : certs) {
            System.out.println("Certificate is: " + cert);
            if(cert instanceof X509Certificate) {
                try {
                    ( (X509Certificate) cert).checkValidity();
                    System.out.println("Certificate is active for current date");
                } catch(CertificateExpiredException cee) {
                    System.out.println("Certificate is expired");
                }
            }
        }
    }
}

Answer 3

This sample code mentioned by Kirby and arulraj.net has been removed from Apache CXF in 2011 and did not support OCSP. The Apache PDFBox project "resurrected" this code and added OCSP support and more features that were missing in the original code, e.g. CRL signature check. Since release 2.0.13 the improved source code is available in the examples subproject, in the CertificateVerifier class. It is also available online with small improvements.

The code is not claiming to be perfect, and does not yet check whether the root is trusted. Development is tracked in JIRA issue PDFBOX-3017.