Adding root CA to intellij on Windows 10 Follow
I work for a company that has an antivirus solution that scans all incomming and outgoing http(s) traffic. in case of https, the virusscanner actually does a man-in-the-middle attack on the https traffic. For the normal (workplace-it dept managed) web browsers, this is enabled by placing an extra root certificate in the browser. This certificate can be used by the virusscanner to sign the ssl certificates that it generates ofr each connection.
Now every time I start IntelliJ, I have to click trough multiple http security warnings (Because IntelliJ e.g. tries to look for updated plugins) I understand that there actually IS a man in the middle, so I'd like to do the same trick as with the browser. Just clicking on accept won't do the trick because a new ssl certificate will be generated each time, so on next startup, I'll have the same trick. Just configuring IntelliJ to ignore all ssl warnings also won't do the trick because I do want to be able to distinguish between the man in the middle that I trust, and the one I don't.
I also tried adding the root certificate to the (cacerts) truststore that is mentioned in the ssl warning popup screen, and I have also added it to the cacrts truststore that's part of the jdk that comes with intellij.
Does anyone have an idea on how to fix this?
Could it be that this truststore is ocasionally overwritten? (At a certain point, I thought that it did work, but than later the ssl warning still came back)
Please sign in to leave a comment.
Hello,
You could add it via Settings | Tools | Server Certificates menu (https://www.jetbrains.com/help/idea/settings-tools-server-certificates.html) or from command line to ${idea.system.path}/tasks/cacerts file (https://docs.oracle.com/cd/E19906-01/820-4916/geygn/index.html)
Thanks! That is / looks quite helpfull. That menu option will at least show me what I'm doing... (I tried the command line way before. But it's good to be able to see in the gui that it's actually the same.)
It looks like it works now, but it did look like that a number of times before, so I'll wait before really celebrating it.
A few days have now passed, and I can still start IntelliJ without clicking trough ssl warnings, so this seems to really have done the trick!
Thanks!
I've been getting a similar problem with Forcepoint, and I keep getting the "Server's certificate is not trusted" error for the host name prod.fus.aws.intellij.net, even after telling IntelliJ to accept the certificate. It looks like IntelliJ is saving the cert to $HOME/.IntelliJIdea2019.3/system/tasks/cacerts
but I suspect the JVM might be using $HOME/AppData/Local/JetBrains/Toolbox/apps/IDEA-U/ch-0/193.5662.53/jbr/lib/security/cacerts
because I'm using JetBrains Toolbox to run IntelliJ.
Then again, I've done my best to add the Forcepoint Cloud Root CA to that cacerts file as well, and I just saw the error pop up again. So I'm still missing something.
Any idea how I can force IntelliJ to call out to prod.fus.aws.intellij.net, which I gather is to do with Feature Usage Statistics? The error just seems to pop up at random, which makes it hard to tell if I have fixed the problem or not.
Does it help if you enable the Accept non-trusted certificates automatically option in Settings | Tools | Server Certificates?
Are you behind a corporate proxy? If you are, please see the following issue: https://youtrack.jetbrains.com/issue/IDEA-173599#comment=27-2195546
Well, I imagine the "Accept non-trusted certificates automatically" option would work, but for security reasons (like Roderick) I don't want to trust all cases of MITM, just the Forcepoint corporate proxy.
I would give the option a quick test, but I don't know how to trigger the FUS call on demand. I don't want to leave the option on for any length of time. Any suggestions on how to trigger FUS?
Thanks for the issue link, I'll definitely be following that. I'm not sure which comment that was supposed to link to, but I've already tried what Victor Rajewski did, in essence.
I haven't seen the pop-up since I disabled FUS. Maybe it's only FUS which is affected.
I am having the same issue. I have already at the private certificate to servers>certificate but there seems to be a few places that jet brains does reference the imported certificates..
1) I get a certficate warning when starting webstorm dealing with it trying to connect to api.nodesecurity.ip
2) The Jetbrains IDE settings sync
is there any way to globally point all the jetbrains IDEs to a private certificate?
@Regalme please upvote https://youtrack.jetbrains.com/issue/IDEA-173599