Search This Blog

Import Gmail certificate into java keystore

To use Gmail smtp service to send emails from your Java based mail client, you will need to import GMail smtp server's certificate into Java keystore and trust it.


The following procedures are to import the gmail smtp certificate into the default Java keystore (Depends on the java mail application, the location of keystore may be vary):
  1. Connect to smtp.gmail.com:465 to display the certificate in a terminal window:
    • For Linux:
      openssl s_client -connect smtp.gmail.com:465
    • For Mac OS:
      openssl s_client -connect smtp.gmail.com:465
    • For Windows
      • Install openssl first
      • Run command: 
        s_client -connect smtp.gmail.com:465
  2. Copy and save the lines between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" into a file, say, gmail.cert:
    -----BEGIN CERTIFICATE-----
MIIDWzCCAsSgAwIBAgIKFeQVggADAAA7NjANBgkqhkiG9w0BAQUFADBGMQswCQYD
VQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZR29vZ2xlIElu
dGVybmV0IEF1dGhvcml0eTAeFw0xMTExMTgwMTU3MTdaFw0xMjExMTgwMjA3MTda
MGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N
b3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRcwFQYDVQQDEw5zbXRw
LmdtYWlsLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuK+t5ZRq6c3K
kWPwLuIcPa6DgiBURaQK9akP4OBoXKJ6bqYIQWsS4C3RgnOaGaDENadxHSNZ5Qpl
Vqg2S54N54SM5OXwOq0NtrqdlbhgigB53TZouiJvnLDxxIexSOn2Gx1qyZF2z8Ii
MoUhHuStWgW5YoOHje8z6K9xQdYkQp0CAwEAAaOCASwwggEoMB0GA1UdDgQWBBTs
OL4jbtJ5l8B6/eoEvv30KEiTrjAfBgNVHSMEGDAWgBS/wDDr9UMRPme6npH7/Gra
42sSJDBbBgNVHR8EVDBSMFCgTqBMhkpodHRwOi8vd3d3LmdzdGF0aWMuY29tL0dv
b2dsZUludGVybmV0QXV0aG9yaXR5L0dvb2dsZUludGVybmV0QXV0aG9yaXR5LmNy
bDBmBggrBgEFBQcBAQRaMFgwVgYIKwYBBQUHMAKGSmh0dHA6Ly93d3cuZ3N0YXRp
Yy5jb20vR29vZ2xlSW50ZXJuZXRBdXRob3JpdHkvR29vZ2xlSW50ZXJuZXRBdXRo
b3JpdHkuY3J0MCEGCSsGAQQBgjcUAgQUHhIAVwBlAGIAUwBlAHIAdgBlAHIwDQYJ
KoZIhvcNAQEFBQADgYEAQiMlHuQLRFqR10UsSg5WTNe3vagbdnBLAkdhvAf90B5a
9beBxJH2/ylTSIGfD2uceAqzcsQe6Ouy4C9r3rz86qA1dhdtIcPg6uoZb+E2qhE5
UaOJOPO4rHInX9kscBxh+baHbpBMh+ch6v5L8plss8hd0id8C4g10YKzwcgPYlQ=
-----END CERTIFICATE-----
  3. Import the certificate into java keystore(Default location):
    sudo keytool -import -alias smtp.gmail.com -keystore /path/to/keystore -file /Users/wilson/gmail.cert
    • For Windows:
      keytool -import -alias smtp.gmail.com -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -file C:\Users\wilson\gmail.cert
    • For Mac OS:
      sudo keytool -import -alias smtp.gmail.com -keystore /System/Library/Frameworks/JavaVM.framework//Versions/CurrentJDK/Home/lib/security/cacerts -file /Users/wilson/gmail.cert
    • For Linux:
      sudo keytool -import -alias smtp.gmail.com -keystore $JAVA_HOME/jre/lib/security/cacerts -file /Users/wilson/gmail.cert
    • Note: your need to provide the password to access the keystore. The password for the default java keystore is changeit
  4. Answer Yes when it ask "Trust this certificate? [no]:  yes"
  5. Note: if your java mail client application uses its own keystore, you need to change the location of the application's keystore rather than JVM's keystore in the keytool command.


see also




Labels: , , , ,

11 comments:

  1. + T.I.August 29, 2013 at 4:47 PM

    Why you saved the certificate with the name gmail.cert? This is a especification of the gmail?

    ReplyDelete
    Replies
    1. WXLSeptember 20, 2013 at 4:48 AM

      You can use any file name. It does not matter.

      Delete
  2. AnonymousSeptember 18, 2013 at 1:09 AM

    Guys, steps 2 and 3 are incorrect.
    I spent about 20 minutes and faced out that it should be:
    2. Copy and save ALL lines "-----BEGIN CERTIFICATE----- sniped -----END CERTIFICATE-----" into a file, say, gmail.pem:
    -----BEGIN CERTIFICATE-----
    Blah Blah Blah
    -----END CERTIFICATE-----

    3. Run commands:
    3.1 openssl x509 -outform der -in gmail.pem -out gmail.der
    3.2 keytool -import -alias smtp.gmail.com -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -file gmail.der

    ReplyDelete
    Replies
    1. UnknownSeptember 20, 2013 at 1:41 AM

      where to use 3.1 and 3.2 command ?
      in openssl or in cmd ?

      when i am executing this command in openssl then it show an error :

      OpenSSL> x509 -outform der -in gmail.pem -out gmail.der
      Error opening Certificate gmail.pem
      3460:error:02001002:system library:fopen:No such file or directory:./crypto/bio/
      bss_file.c:356:fopen('gmail.pem','rb')
      3460:error:20074002:BIO routines:FILE_CTRL:system lib:./crypto/bio/bss_file.c:35
      8:
      unable to load certificate
      error in x509

      any idea sir ??

      Delete
    2. WXLSeptember 20, 2013 at 4:46 AM

      According to http://stackoverflow.com/questions/2138940/import-pem-into-java-key-store, keytool can import PEM directly without having to convert to DER. So your 3.1 and 3.2 are unnecessary.

      Delete
    3. WXLSeptember 20, 2013 at 4:51 AM

      I just tested on Mac OS. It works fine.

      Delete
    4. Andrei StanciuFebruary 13, 2017 at 7:58 AM

      A BIG THANK YOU TO ANDREI!
      My machine is a Red Hat Linux, i run the commands in the terminal. It was not working before converting the file from cert or cer to der! Invalid x509 format. Now it did!
      Thank you, man!

      Delete
  3. DeveloperSeptember 21, 2016 at 12:28 AM

    Hi,

    I am getting below error while importing certificate from gmail.

    OpenSSL> s_client -connect smtp.gmail.com:465
    Loading 'screen' into random state - done
    connect: Bad file descriptor
    connect:errno=10061
    error in s_client

    Please help me out in this. What wrong i am doing here.

    ReplyDelete
    Replies
    1. HighCastleMarch 22, 2018 at 7:32 AM

      Try changing the port number to 587. The URL will then be "smtp.gmail.com:587"

      Delete
  4. RajendraJanuary 4, 2019 at 4:00 AM

    Thanks, This works perfect as per your blog. Great.

    ReplyDelete
  5. k21academyOctober 7, 2023 at 8:58 AM

    azure certification path 2023

    ReplyDelete

Subscribe to: Post Comments (Atom)