Adding root CA to intellij on Windows 10

Answered

I work for a company that has an antivirus solution that scans all incomming and outgoing http(s) traffic. in case of https, the virusscanner actually does a man-in-the-middle attack on the https traffic. For the normal (workplace-it dept managed) web browsers, this is enabled by placing an extra root certificate in the browser. This certificate can be used by the virusscanner to sign the ssl certificates that it generates ofr each connection.

Now every time I start IntelliJ, I have to click trough multiple http security warnings (Because IntelliJ e.g. tries to look for updated plugins) I understand that there actually IS a man in the middle, so I'd like to do the same trick as with the browser. Just clicking on accept won't do the trick because a new ssl certificate will be generated each time, so on next startup, I'll have the same trick. Just configuring IntelliJ to ignore all ssl warnings also won't do the trick because I do want to be able to distinguish between the man in the middle that I trust, and the one I don't. 

I also tried adding the root certificate to the (cacerts)  truststore that is mentioned in the ssl warning popup screen, and I have also added it to the cacrts truststore that's part of the jdk that comes with intellij.

 

Does anyone have an idea on how to fix this?

Could it be that this truststore is ocasionally overwritten? (At a certain point, I thought that it did work, but than later the ssl warning still came back)

8 comments
Comment actions Permalink

Hello,

You could add it via Settings | Tools | Server Certificates menu (https://www.jetbrains.com/help/idea/settings-tools-server-certificates.html) or from command line to ${idea.system.path}/tasks/cacerts file (https://docs.oracle.com/cd/E19906-01/820-4916/geygn/index.html)

1
Comment actions Permalink

Thanks! That is / looks quite helpfull. That menu option will at least show me what I'm doing... (I tried the command line way before. But it's good to be able to see in the gui that it's actually the same.) 

It looks like it works now, but it did look like that a number of times before, so I'll wait before really celebrating it. 

0
Comment actions Permalink

A few days have now passed, and I can still start IntelliJ without clicking trough ssl warnings, so this seems to really have done the trick!

Thanks!

0
Comment actions Permalink

I've been getting a similar problem with Forcepoint, and I keep getting the "Server's certificate is not trusted" error for the host name prod.fus.aws.intellij.net, even after telling IntelliJ to accept the certificate. It looks like IntelliJ is saving the cert to $HOME/.IntelliJIdea2019.3/system/tasks/cacerts

but I suspect the JVM might be using $HOME/AppData/Local/JetBrains/Toolbox/apps/IDEA-U/ch-0/193.5662.53/jbr/lib/security/cacerts

because I'm using JetBrains Toolbox to run IntelliJ.

Then again, I've done my best to add the Forcepoint Cloud Root CA to that cacerts file as well, and I just saw the error pop up again. So I'm still missing something.

Any idea how I can force IntelliJ to call out to prod.fus.aws.intellij.net, which I gather is to do with Feature Usage Statistics? The error just seems to pop up at random, which makes it hard to tell if I have fixed the problem or not.

1
Comment actions Permalink

Does it help if you enable the Accept non-trusted certificates automatically option in Settings | Tools | Server Certificates?

Are you behind a corporate proxy? If you are, please see the following issue: https://youtrack.jetbrains.com/issue/IDEA-173599#comment=27-2195546

0
Comment actions Permalink

Well, I imagine the "Accept non-trusted certificates automatically" option would work, but for security reasons (like Roderick) I don't want to trust all cases of MITM, just the Forcepoint corporate proxy.

 

I would give the option a quick test, but I don't know how to trigger the FUS call on demand. I don't want to leave the option on for any length of time. Any suggestions on how to trigger FUS?

 

Thanks for the issue link, I'll definitely be following that. I'm not sure which comment that was supposed to link to, but I've already tried what Victor Rajewski did, in essence.

 

I haven't seen the pop-up since I disabled FUS. Maybe it's only FUS which is affected.

0
Comment actions Permalink

I am having the same issue. I have already at the private certificate to servers>certificate but there seems to be a few places that jet brains does reference the imported certificates..

1) I get a certficate warning when starting webstorm dealing with it trying to connect to api.nodesecurity.ip

2) The Jetbrains IDE settings sync

is there any way to globally point all the jetbrains IDEs to a private certificate?

0

Please sign in to leave a comment.