HTTPS connections need to make sure the server 'at the other end' is actually the server it claims to be. This is done using public key certificates. For testing purposes or to save the costs of a commercially issued certificate, it is possible to use a self-issued certificate. This blog post shows how to connect to this kind of servers in IntelliJ IDEA or other Java programs.

Self-issued certificates are unknown to Java by default

Put simple, during initiation of an SSL connection, the server presents a certificate to the client to prove the server's identity. The Java runtime has to check if the certificate can be trusted. A certificate is basically a huge random number (a "key") combined with some meta-data of the server suited to identify it, signed with the (private) signature key of some certificate authority (CA for short). For servers, a certificate usually contains the canonical host name to identify it.

By default, Java only knows a limited number of (public) signature verification keys belonging to well-known commercial or non-profit certificate authorities. When using a self-issued or self-signed SSL certificate, additional configuration is required to tell Java it can trust the self-signed certificate. If you don't do this, your Java program will throw an exception: SunCertPathBuilderException: unable to find valid certification path to requested target unknown location

Adding certificates to Java's Certificate Authority database

Java comes with a tool to modify key stores called keytool. It can be used to add the self-signed certificate to Java's CA database. For a Sun/Oracle JDK, this database is located in $JAVA_HOME/jre/lib/security/cacerts. To import a certificate, you probably need to become root.

# cd $JAVA_HOME/jre/lib/security/
# keytool -importcert -keystore cacerts -file ~user.name/my-server.crt

The second command from above instructs keytool to import a new certificate into the key store contained in file cacerts, importing the certificate from file ~user.name/my-server.crt. The keytool will prompt for a key store password, which is changeit by default. In addition, it will also prompt you to confirm that you want to trust the new certificate (answer 'Yes' to the respective question).

Final Steps

Make sure you restart your java application after successfully importing the server certificate, so the new database can be used when connecting to SSL-enabled servers. I used it to connect to an SSL-enabled YouTrack server which tracks all the issues for my Maven Drools Plugin:

Enjoy!