Certificate chain and java code to obtain server certificate

HTTPS communication process

The client has the following steps when communicating with the web server using HTTPS, as shown in the figure.

1. The client uses the https URL to access the web server and requires an SSL connection to be established with the web server.
2. After the web server receives the client's request, it will send a copy of the website's certificate information (the certificate contains the public key) to the client.
3. The client's browser and the Web server begin to negotiate the security level of the SSL connection, which is the level of information encryption.
4. The client's browser establishes a session key based on the security level agreed by both parties, and then uses the website's public key to encrypt the session key and transmits it to the website.
5. The web server uses its own private key to decrypt the session key.
6. The web server uses session keys to encrypt communications with clients.
   

What is an HTTPS/SSL certificate

HTTPS/SSL证书是由权威CA(Certificate Authority)机构颁发, is mainly used for 服务器(应用)数据传输链路加密 and 身份认证, and 绑定网站域名, mainly There are the following types of certificates

• EV SSL Certificate (Extended Validation SSL)
• OV SSL Certificate (Organization Validation SSL)
• DV SSL Certificate (Domain Validation SSL)

Different certificate types will enjoy different treatment on the browser logo. For example, EV and OV certificates will display the company name on the browser address bar, which of course means that you When applying for a certificate from a CA organization, you have to pay more and go through more review procedures. Usually a DV certificate is enough, the review process is simple and very cheap

How to verify the validity of a certificate

HTTPS/SSL certificate is actually a certificate chain,这条链上的所有证书均合法才能表明证书本身的合法性.

About the certificate chain

Web browsers are preconfigured with a set of root CA certificates that the browser automatically trusts. All certificates from other certificate authorities must be accompanied by a certificate chain to verify the validity of these certificates.证书链是由一系列 CA 证书发出的证书序列，最终以根 CA 证书结束

The certificate was originally generated as a self-signed certificate.

• A self-signed certificate is one whose issuer (signer) is the same as the subject (the entity whose public key is verified by the certificate).
• If the owner sends a Certificate Signing Request (CSR) to the CA and then enters a response, the self-signed certificate will be replaced by the certificate chain.
• At the bottom of the chain is the certificate (reply) issued by the CA that verifies the subject's public key.
• The next certificate in the chain is the certificate that verifies the CA's public key. Typically, this is a self-signed certificate (that is, a certificate from the CA that verifies its own public key) and is the last certificate in the chain.

In other cases, the CA may return a certificate chain.

• In this case, the certificate at the bottom of the chain is the same (certificate signed by the CA that verifies the public key of the key entry),
• But the second certificate in the chain is a certificate signed by another CA that verifies the public key of the CA you sent the CSR to.
• The next certificate in the chain is then the certificate used to verify the second CA's key,
• And so on until you reach the self-signed root certificate.
• Therefore, each certificate in the chain (certificates after the first) needs to verify the public key of the signer of the previous certificate in the chain.

Use java code to implement obtaining the remote server certificate

package org.test;
 
import java.net.URL;
import java.security.MessageDigest;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import javax.net.ssl.HttpsURLConnection;
 
public class Application {
    
    
    public static void main(String[] args) throws Exception {
    
    
        URL url = new URL("https://baidu.com");
        HttpsURLConnection conn = (HttpsURLConnection)url.openConnection();
        conn.connect();
        Certificate[] certs = conn.getServerCertificates();    //会拿到完整的证书链
        X509Certificate cert = (X509Certificate)certs[0];    //cert[0]是证书链的最下层
        System.out.println("序号：" + cert.getSerialNumber());
        System.out.println("颁发给：" + cert.getSubjectDN().getName());
        System.out.println("颁发者：" + cert.getIssuerDN().getName());
        System.out.println("起始：" + cert.getNotBefore());
        System.out.println("过期：" + cert.getNotAfter());
        System.out.println("算法：" + cert.getSigAlgName());
        System.out.println("指纹：" + getThumbPrint(cert));
        conn.disconnect();
    }
 
    private static String getThumbPrint(X509Certificate cert) throws Exception {
    
    
        MessageDigest md = MessageDigest.getInstance("SHA-1");
        byte[] der = cert.getEncoded();
        md.update(der);
        byte[] digest = md.digest();
        return bytesToHexString(digest);
    }
     
    private static String bytesToHexString(byte[] src) {
    
    
        StringBuilder stringBuilder = new StringBuilder("");
        if (src == null || src.length <= 0) {
    
    
            return null;
        }
        for (int i = 0; i < src.length; i++) {
    
    
            int v = src[i] & 0xFF;
            String hv = Integer.toHexString(v);
            if (hv.length() < 2) {
    
    
                stringBuilder.append(0);
            }
            stringBuilder.append(hv);
        }
        return stringBuilder.toString();
    }
}

result

序号：26585094245224241434632730821
颁发给：CN=baidu.com, O="Beijing Baidu Netcom Science Technology Co., Ltd", L=beijing, ST=beijing, C=CN
颁发者：CN=GlobalSign RSA OV SSL CA 2018, O=GlobalSign nv-sa, C=BE
起始：Thu Jul 06 09:51:06 CST 2023
过期：Tue Aug 06 09:51:05 CST 2024
算法：SHA256withRSA
指纹：9742d59827d62288cf59c3ff75868dd5d312a0af