In which use cases a certificate is required for an web application?

Hi,

I have a web application where i generally download a image when user inputs the url in a text field.
The url is valid and opens in browseers. It will be http or https or from my web application server as well. ex: https://abc.com/shortcuts/1,jpeg

Some image got fails with error though it opens perfectly via browser without any logins. It works from standalone program as well. BUT NOT via web application which runs in TOMCAT

"javax.imageio.IIOException ... "Can't get input stream from URL!""
underlying exception is javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed

The code is
      URL url = new URL(...);   --> FAILS here
      Image image = ImageIO.read(url);

The https image URL would of the same server or different server. However the images works fine via browser and standalone program.

Question:
1. Is any special treatment required to access https image from web app?
2. How does it works in standalone program but not via web app though the certs are not installed in local machine?

What is the correct approach and what is the underlying differences?

Thanks

The exception you got already tells you the root cause: The ssl engine can't build a valid certificate path to any of its root certificates. Wild guess: You run a pretty old JVM which has a quite outdated cacert CA-root-certificate list, maybe some already expired.
For further help:
- OS? Windows or Linux? Which version?
- Tomcat version
- JDK version used by Tomcat
- real world valid example urls - or check them yourself over at ssllabs.com and see what they use as root certificate

//EDIT
BTW: The title chosen is rather misleading and might could take good use of a rename. To me it first suggested that the question is about a client certificate used to authenticate.

How to find out the list of certificate in command prompt and the expiry date?

Joseph Sam wrote:How to find out the list of certificate in command prompt and the expiry date?

You can often get information about the certificate chain by clicking the mouse on the left-hand side of your browser's URL navigation control. Often there's a padlock icon.

There are tools in Linux for command-line based inspection, but if you do what I said, you may not need them.

I may be wrong here, but I'm not sure you CAN get a list of certificates from a command prompt. Couldn't each browser you use have its own set of root certs?

fred rosenberger wrote:I may be wrong here, but I'm not sure you CAN get a list of certificates from a command prompt. Couldn't each browser you use have its own set of root certs?

Yes, there are extensive cert tools on Linux at least, which I will expect to also be available on MacOS and other Unix systems as well. Windows is a case where you'd have to dig. Windows doesn't come with anywhere near as extensive a toolset as most Linux distros do.

The "hard" part comes in figuring out how to obtain the certs, but the curl utility would be a good bet. Like I said, it's easier to just aim your browser at the offending URL and ask it.

And yes, every browser and every JVM has its own build-in root certificate list. There's no master list I know of in any OS.

For Your Information:

https://superuser.com/questions/97201/how-to-save-a-remote-server-ssl-certificate-locally-as-a-file

Hi Tim,

What are the linux cert tools or commands which can be used to display the list and find the expiry date? I logged in via Putty only

Thanks

Joseph Sam wrote:Hi Tim,

What are the linux cert tools or commands which can be used to display the list and find the expiry date? I logged in via Putty only

Thanks

Check the URL I just gave.

Joseph Sam wrote:What are the linux cert tools or commands which can be used to display the list and find the expiry date?