Search This Blog

Import Gmail certificate into java keystore

To use Gmail smtp service to send emails from your Java based mail client, you will need to import GMail smtp server's certificate into Java keystore and trust it.


The following procedures are to import the gmail smtp certificate into the default Java keystore (Depends on the java mail application, the location of keystore may be vary):
  1. Connect to smtp.gmail.com:465 to display the certificate in a terminal window:
    • For Linux:
      openssl s_client -connect smtp.gmail.com:465
      
    • For Mac OS:
      openssl s_client -connect smtp.gmail.com:465
      
    • For Windows
      • Install openssl first
      • Run command:
        s_client -connect smtp.gmail.com:465
        
  2. Copy and save the lines between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" into a file, say, gmail.cert:
    -----BEGIN CERTIFICATE-----
    MIIDWzCCAsSgAwIBAgIKFeQVggADAAA7NjANBgkqhkiG9w0BAQUFADBGMQswCQYD
    VQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZR29vZ2xlIElu
    dGVybmV0IEF1dGhvcml0eTAeFw0xMTExMTgwMTU3MTdaFw0xMjExMTgwMjA3MTda
    MGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N
    b3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRcwFQYDVQQDEw5zbXRw
    LmdtYWlsLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuK+t5ZRq6c3K
    kWPwLuIcPa6DgiBURaQK9akP4OBoXKJ6bqYIQWsS4C3RgnOaGaDENadxHSNZ5Qpl
    Vqg2S54N54SM5OXwOq0NtrqdlbhgigB53TZouiJvnLDxxIexSOn2Gx1qyZF2z8Ii
    MoUhHuStWgW5YoOHje8z6K9xQdYkQp0CAwEAAaOCASwwggEoMB0GA1UdDgQWBBTs
    OL4jbtJ5l8B6/eoEvv30KEiTrjAfBgNVHSMEGDAWgBS/wDDr9UMRPme6npH7/Gra
    42sSJDBbBgNVHR8EVDBSMFCgTqBMhkpodHRwOi8vd3d3LmdzdGF0aWMuY29tL0dv
    b2dsZUludGVybmV0QXV0aG9yaXR5L0dvb2dsZUludGVybmV0QXV0aG9yaXR5LmNy
    bDBmBggrBgEFBQcBAQRaMFgwVgYIKwYBBQUHMAKGSmh0dHA6Ly93d3cuZ3N0YXRp
    Yy5jb20vR29vZ2xlSW50ZXJuZXRBdXRob3JpdHkvR29vZ2xlSW50ZXJuZXRBdXRo
    b3JpdHkuY3J0MCEGCSsGAQQBgjcUAgQUHhIAVwBlAGIAUwBlAHIAdgBlAHIwDQYJ
    KoZIhvcNAQEFBQADgYEAQiMlHuQLRFqR10UsSg5WTNe3vagbdnBLAkdhvAf90B5a
    9beBxJH2/ylTSIGfD2uceAqzcsQe6Ouy4C9r3rz86qA1dhdtIcPg6uoZb+E2qhE5
    UaOJOPO4rHInX9kscBxh+baHbpBMh+ch6v5L8plss8hd0id8C4g10YKzwcgPYlQ=
    -----END CERTIFICATE-----
    
  3. Import the certificate into java keystore(Default location):
    sudo keytool -import -alias smtp.gmail.com -keystore /path/to/keystore -file /Users/wilson/gmail.cert
    
    • For Windows:
      keytool -import -alias smtp.gmail.com -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -file C:\Users\wilson\gmail.cert
      
    • For Mac OS:
      sudo keytool -import -alias smtp.gmail.com -keystore /System/Library/Frameworks/JavaVM.framework//Versions/CurrentJDK/Home/lib/security/cacerts -file /Users/wilson/gmail.cert
      
    • For Linux:
      sudo keytool -import -alias smtp.gmail.com -keystore $JAVA_HOME/jre/lib/security/cacerts -file /Users/wilson/gmail.cert
      
    • Note: your need to provide the password to access the keystore. The password for the default java keystore is changeit
  4. Answer Yes when it ask "Trust this certificate? [no]:  yes"
  5. Note: if your java mail client application uses its own keystore, you need to change the location of the application's keystore rather than JVM's keystore in the keytool command.


see also




11 comments:

  1. Why you saved the certificate with the name gmail.cert? This is a especification of the gmail?

    ReplyDelete
    Replies
    1. You can use any file name. It does not matter.

      Delete
  2. Guys, steps 2 and 3 are incorrect.
    I spent about 20 minutes and faced out that it should be:
    2. Copy and save ALL lines "-----BEGIN CERTIFICATE----- sniped -----END CERTIFICATE-----" into a file, say, gmail.pem:
    -----BEGIN CERTIFICATE-----
    Blah Blah Blah
    -----END CERTIFICATE-----

    3. Run commands:
    3.1 openssl x509 -outform der -in gmail.pem -out gmail.der
    3.2 keytool -import -alias smtp.gmail.com -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -file gmail.der

    ReplyDelete
    Replies
    1. where to use 3.1 and 3.2 command ?
      in openssl or in cmd ?

      when i am executing this command in openssl then it show an error :

      OpenSSL> x509 -outform der -in gmail.pem -out gmail.der
      Error opening Certificate gmail.pem
      3460:error:02001002:system library:fopen:No such file or directory:./crypto/bio/
      bss_file.c:356:fopen('gmail.pem','rb')
      3460:error:20074002:BIO routines:FILE_CTRL:system lib:./crypto/bio/bss_file.c:35
      8:
      unable to load certificate
      error in x509

      any idea sir ??

      Delete
    2. According to http://stackoverflow.com/questions/2138940/import-pem-into-java-key-store, keytool can import PEM directly without having to convert to DER. So your 3.1 and 3.2 are unnecessary.

      Delete
    3. I just tested on Mac OS. It works fine.

      Delete
    4. A BIG THANK YOU TO ANDREI!
      My machine is a Red Hat Linux, i run the commands in the terminal. It was not working before converting the file from cert or cer to der! Invalid x509 format. Now it did!
      Thank you, man!

      Delete
  3. Hi,

    I am getting below error while importing certificate from gmail.

    OpenSSL> s_client -connect smtp.gmail.com:465
    Loading 'screen' into random state - done
    connect: Bad file descriptor
    connect:errno=10061
    error in s_client

    Please help me out in this. What wrong i am doing here.

    ReplyDelete
    Replies
    1. Try changing the port number to 587. The URL will then be "smtp.gmail.com:587"

      Delete
  4. Thanks, This works perfect as per your blog. Great.

    ReplyDelete