How to check if a server SSL certificate is trusted by Java command line Windows or Linux

Manage Support IDs

Use checkboxes to 'Remove support IDs/Users' or 'Allow to create Cases'
Support IDs for BMC Customer Support Site Guest User
Profiles Which Include    Back to All Support IDs
 

Knowledge Article

How to check if a server SSL certificate is trusted by Java command line Windows or Linux
When troubleshooting HTTPS interactions verifying the SSL certificate with a command line tool can provide insights
Remedy AR System Server
AR System Mid Tier
any web application that is accessible from a linux command line
Remedy AR System Server
AR System Mid Tier
any web application that is accessible from a linux command line
In a Linux or Windows system how do I check if the certificate from a webserver is valid using java command line?
This knowledge article may contain information that does not apply to version 21.05 or later which runs in a container environment. Please refer to Article Number 000385088 for more information about troubleshooting BMC products in containers.

Download the tool found here https://communities.bmc.com/docs/DOC-129733

Prepare a text file (eg: testSSL.txt ) on a known location (eg: save it on the same folder as TestHttpClient.jar) with the following contents: 

GET https://localhost:8443

then execute this command line 

java -jar TestHttpClient.jar <TEXT_FILE_LOCATION_AND_NAME> --debugHTTP --debugSSL > evidence.log 2>&1

following the example above: 
 java -jar TestHttpClient.jar testSSL.txt --debugHTTP --debugSSL > evidence.log 2>&1

The evidence.log will contain the following if the certificate wasn't trusted
  
main, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
On the other hand if the ssl certificate is trusted 
check handshake state: finished[20]
update handshake state: finished[20]
*** Finished
verify_data:  { 229, 159, 191, 86, 176, 21, 48, 201, 208, 192, 143, 96 }
***
%% Cached client session: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
[read] MD5 and SHA1 hashes:  len = 16
0000: 14 00 00 0C E5 9F BF 56   B0 15 30 C9 D0 C0 8F 60  .......V..0....`
2020/08/10 16:16:50:971 CDT [DEBUG] SSLConnectionSocketFactory - Secure session established
2020/08/10 16:16:50:971 CDT [DEBUG] SSLConnectionSocketFactory -  negotiated protocol: TLSv1.2
2020/08/10 16:16:50:971 CDT [DEBUG] SSLConnectionSocketFactory -  negotiated cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
.....
2020/08/10 16:16:50:976 CDT [DEBUG] MainClientExec - Executing request GET / HTTP/1.1
2020/08/10 16:16:50:976 CDT [DEBUG] MainClientExec - Target auth state: UNCHALLENGED
2020/08/10 16:16:50:977 CDT [DEBUG] MainClientExec - Proxy auth state: UNCHALLENGED
2020/08/10 16:16:50:978 CDT [DEBUG] wire - http-outgoing-0 >> "GET / HTTP/1.1[\r][\n]"
Note that *** is produced in some java versions and not all
 


 
Remedy AR System Server
AR System Mid Tier
any web application that is accessible from a linux command line
Attachment(s):