To import the trusted certificate you must:
1) Extract your Vault server's public SSL certificate from the IIS Server in which the Vault Server has been installed. Many web browsers will allow you to browse to the Vault Server (https://VAULTSERVER-HOST/VaultService/VaultService.asmx - where VAULTSERVER-HOST is the host name of your Vault Server installation), view and extract the Vault server's certificate.
If further instructions are required, search for "Export SSL Certificate from Browser" and look for examples for your particular browser. However, the following are instructions for how to export SSL certificates for Firefox and Chrome for quick reference:
Firefox 55:
- Browse to https://VAULTSERVER-HOST/VaultService/VaultService.asmx
- From the context menu for the page, choose "View Page Info"
- Click the Security button on the top tool bar
- Click "View Certificate"
- On the Details page, expand the Certificate Hierarchy, and select the certificate which is assigned to the Vault Server. This is usually the bottom node of the hierarchy
- On the bottom, click Export to save the certificate to a file on disk
- Browse to https://VAULTSERVER-HOST/VaultService/VaultService.asmx
- From the context menu for the page, choose "Inspect"
- On the Chrome DevTools panel, click the "Security" tab
- Next click the "View Certificate" button
- On the ensuing dialog, choose "Details"
- Finally, click "Copy to File..." to invoke the Certificate Export Wizard to export the SSL Certificate to a file on disk
Note, for Eclipse, you can check which JVM is driving Eclipse from the Help -> About Eclipse dialog. Click the "Installation Details" button and then the "Configuration" tab. Look for the very next line after the '-vm' argument for a hint on which JVM is being used.
For OS X, from a Terminal shell, type /usr/libexec/java_home which should provide the installation of the Java JDK / JRE. For example, with the Java JDK installed on El Capitan the path from java_home may be /Library/Java/JavaVirtualMachines/jdk1.8.0_65.jdk/Contents/Home. Next, using this path, find the full path of the file $JAVA_HOME/jre/lib/security/cacerts.
For Linux, from a console shell, type echo $JAVA_HOME. Next, using this path, find the full path of the file $JAVA_HOME/lib/security/cacerts or $JAVA_HOME/jre/lib/security/cacerts
For Windows, from a command prompt, type echo %JAVA_HOME%. Next, using this path, find the full path of the file %JAVA_HOME%/lib/security/cacerts or %JAVA_HOME%/jre/lib/security/cacerts
3) Import the Server ssl certificate into your Java keystore's trusted certificates.
On Mac or Linux from a console / terminal run the following command:
sudo keytool -keystore /path/to/java/keystore/cacerts -importcert -file /path/to/vault/server/certificate.crt
On Windows run the following from a command prompt:
keytool -keystore "DRIVE:path\to\java\keystore\cacerts" -importcert -file "DRIVE:\path\to\vault\server\certificate.crt"
You will need the keystore password to modify it. By default this password is 'changeit'. Note: If you change the SDK, you will need to rerun this command.
Note: if you already have a certificate under the "mykey" alias, you may have the following error: keytool error: java.lang.Exception: Certificate not imported, alias already exists In that case, import the other one under a new alias (-alias newalias) or remove your old certificate (Mac/Linux example: sudo keytool -keystore /path/to/java/keystore/cacerts -delete -alias mykey).
If the command correctly imports the Vault Server ssl certificate into the Java keystore, you should now be able to connect to the Vault Server using SSL.