import java.io.BufferedInputStream;import java.io.IOException;import java.io

1. import java.io.BufferedInputStream;
2. import java.io.IOException;
3. import java.io.InputStream;
4. import java.net.URL;
5. import java.net.URLConnection;
6. import java.nio.file.Files;
7. import java.nio.file.Path;
8. import java.nio.file.Paths;
9. import java.security.KeyStore;
10. import java.security.cert.Certificate;
11. import java.security.cert.CertificateFactory;
12. import java.security.cert.PKIXParameters;
13. import java.security.cert.TrustAnchor;
14. import java.security.cert.X509Certificate;
15. import java.util.Iterator;
16.  
17. import javax.net.ssl.SSLContext;
18. import javax.net.ssl.SSLHandshakeException;
19. import javax.net.ssl.TrustManagerFactory;
20.  
21. public class ForceLetsEncryptCert
22. {
23.     public static void load()
24.     {
25.         try
26.         {
27.             KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
28.             Path ksPath = Paths.get(System.getProperty("java.home"), "lib", "security", "cacerts");
29.             keyStore.load(Files.newInputStream(ksPath), null);
30.  
31.             CertificateFactory cf = CertificateFactory.getInstance("X.509");
32.             InputStream caInput = new BufferedInputStream(ForceLetsEncryptCert.class.getResourceAsStream("/lets-encrypt-x3-cross-signed.der"));
33.             Certificate crt = cf.generateCertificate(caInput);
34.             System.out.println("Added Cert for " + ((X509Certificate)crt).getSubjectDN());
35.  
36.             keyStore.setCertificateEntry("lets-encrypt-x3-cross-signed", crt);
37.  
38.             if(true)
39.             { // enable to see
40.                 System.out.println("Truststore now trusting: ");
41.                 PKIXParameters params = new PKIXParameters(keyStore);
42.                 Iterator<TrustAnchor> it = params.getTrustAnchors().stream().iterator();
43.                 while(it.hasNext())
44.                 {
45.                     TrustAnchor anchor = it.next();
46.                     System.out.println(anchor.getTrustedCert().getSubjectDN());
47.                 }
48.                 System.out.println();
49.             }
50.  
51.             TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
52.             tmf.init(keyStore);
53.             SSLContext sslContext = SSLContext.getInstance("TLS");
54.             sslContext.init(null, tmf.getTrustManagers(), null);
55.             SSLContext.setDefault(sslContext);
56.         }
57.         catch(Exception e)
58.         {
59.             throw new RuntimeException(e);
60.         }
61.     }
62.     // END ---------- ADDME
63.  
64.     public static void main(String[] args) throws IOException
65.     {
66.         load();
67.         // signed by default trusted CAs.
68.         testUrl(new URL("https://google.com"));
69.         testUrl(new URL("https://www.thawte.com"));
70.  
71.         // signed by letsencrypt
72.         testUrl(new URL("https://helloworld.letsencrypt.org"));
73.         // signed by LE's cross-sign CA
74.         testUrl(new URL("https://letsencrypt.org"));
75.         // nhg
76.         testUrl(new URL("https://hungergames.mcnanotech.fr"));
77.         // expired
78.         testUrl(new URL("https://tv.eurosport.com/"));
79.         // self-signed
80.         testUrl(new URL("https://www.pcwebshop.co.uk/"));
81.  
82.     }
83.  
84.     static void testUrl(URL url) throws IOException
85.     {
86.         URLConnection connection = url.openConnection();
87.         try
88.         {
89.             connection.connect();
90.             System.out.println("Headers of " + url + " => " + connection.getHeaderFields());
91.         }
92.         catch(SSLHandshakeException e)
93.         {
94.             System.out.println("Untrusted: " + url);
95.         }
96.     }
97. }