I’ve been working recently with a client to do some rather useful things with notifications, and one of them involved sending a secure email from within a Java program. We encountered some interesting (translation: weird!) challenges, and in overcoming them, I worked out a reasonably straightforward path through the minefield. If you’ve been thinking about secure-email-enabling your Java app but aren’t sure where to start, hopefully this will serve as a fairly quick and mostly painless primer.  🙂

The Problem

Let me first say that if you only want to send a plain-text email from Java, there are ways to do that without much fuss and without any external players. If you want to sign or encrypt your emails, though, you’ll need a couple of extra components:

1. A digital certificate (private/public key pair issued by a recognized Certificate Authority, or “CA”)
2. A means of using the certificate to sign and/or encrypt the email

The goal is to digitally sign an email to assure recipients that the sender of the mail is indeed me (or you, if you’re following along at work/home). Let’s get started!

First, we have to have a digital certificate. If you already have one, you can skip this step…but if not, StartSSL offers free user/email certificates for personal use. Just point your browser to the StartSSL site and click the large button labeled “Sign-up”. You’ll need to provide them some information, enter the verification code they email to the address you provide, and they do the rest…including installing your new cert and the certificate chain into your web browser.

Perhaps the easiest way to use a certificate is to store it (keys, certificate chain) in a Java Keystore (jks). Extracting your shiny new certificate from your browser is a relatively easy (albeit drawn-out) process. From your browser, export your certificate, including private key. This will produce a .pfx file, which is a PKCS12 keystore. From Chrome, you simply:

1. Click on the Wrench (or Lines) icon in the upper-right corner
2. Select “Settings” from the menu
3. “Show advanced settings…” at the bottom of the page
4. Scroll down to the section labeled “HTTPS/SSL”
5. Click the “Manage certificates…” button to display your certificates.

Then, from the certificates window:

1. Select the target certificate and click the “Export…” button
2. Click “Next” from the Export Wizard window
3. Choose “Yes, export the private key” and click “Next”
4. Under the “Personal Information Exchange – PKCS #12 (.PFX)” entry, select the options to “Include all certificates in the certification path if possible” and “Export all extended properties” (NOTE: Do NOT choose to “Delete the private key if the export is successful”. No no no!) and click “Next”
5. Enter a password (twice) and click “Next”
6. Provide a path/filename for the export and click “Next”, and finally…
7. Confirm the export options and click “Finish”.

Now that we’ve liberated your cert from the browser, let’s make it usable by our (non-browser) Java program.

The fastest, easiest way I’ve found to convert a .pfx file to a .jks (Java Keystore) file is with the Oracle 11g database client. The database client can be downloaded by following this link, selecting the “See All” link to the right of your listed operating system, and choosing the 11g client from the OS-specific download page. Once it’s downloaded and installed, you’re ready to proceed.

Like the .pfx file, the Oracle wallet is a PKCS12 keystore, and the orapki utility (and other tools) included with the database client can be used to manipulate it…as long as it thinks it’s dealing with an Oracle wallet. To make that happen, simply rename the .pfx file to ewallet.p12. Since we aren’t dealing with the Oracle Wallet Manager, we don’t have to worry about meeting OWM’s password criteria or other niceties. Yes, that really is all there is to it!