Java Client Certificate over HTTPS/SSL

0 votes

I am using Java 6 and am trying to create an HttpsURLConnection against a remote server, using a client certificate.
The server is using an selfsigned root certificate, and requires that a password-protected client certificate is presented. I've added the server root certificate and the client certificate to a default java keystore which I found in /System/Library/Frameworks/JavaVM.framework/Versions/1.6.0/Home/lib/security/cacerts(OSX 10.5). The name of the keystore file seems to suggest that the client certificate is not supposed to go in there?

Anyway, adding the root certificate to this store solved the infamous javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed' problem.

However, I'm now stuck on how to use the client certificate. I've tried two approaches and neither gets me anywhere.
First, and preferred, try:

SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
URL url = new URL("https://somehost.dk:3049");
HttpsURLConnection conn = (HttpsURLConnection)url.openConnection();
conn.setSSLSocketFactory(sslsocketfactory);
InputStream inputstream = conn.getInputStream();
// The last line fails, and gives:
// javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

I've tried skipping the HttpsURLConnection class (not ideal since I want to talk HTTP with the server), and do this instead:

SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
SSLSocket sslsocket = (SSLSocket) sslsocketfactory.createSocket("somehost.dk", 3049);
InputStream inputstream = sslsocket.getInputStream();
// do anything with the inputstream results in:
// java.net.SocketTimeoutException: Read timed out

I am not even sure that the client certificate is the problem here.

Nov 28, 2018 in Java by Daisy
• 8,050 points
202 views

1 answer to this question.

0 votes

The missing links was (mostly) the first of the parameters below, and to some extent that I overlooked the difference between keystores and truststores.

The self-signed server certificate must be imported into a truststore:

keytool -import -alias gridserver -file gridserver.crt -storepass $PASS -keystore gridserver.keystore

These properties need to be set (either on the commandline, or in code):

-Djavax.net.ssl.keyStoreType=pkcs12
-Djavax.net.ssl.trustStoreType=jks
-Djavax.net.ssl.keyStore=clientcertificate.p12
-Djavax.net.ssl.trustStore=gridserver.keystore
-Djavax.net.debug=ssl # very verbose debug
-Djavax.net.ssl.keyStorePassword=$PASS
-Djavax.net.ssl.trustStorePassword=$PASS

Working example code:

SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
URL url = new URL("https://gridserver:3049/cgi-bin/ls.py");
HttpsURLConnection conn = (HttpsURLConnection)url.openConnection();
conn.setSSLSocketFactory(sslsocketfactory);
InputStream inputstream = conn.getInputStream();
InputStreamReader inputstreamreader = new InputStreamReader(inputstream);
BufferedReader bufferedreader = new BufferedReader(inputstreamreader);

String string = null;
while ((string = bufferedreader.readLine()) != null) {
    System.out.println("Received " + string);
}
answered Nov 28, 2018 by Sushmita
• 6,880 points

Related Questions In Java

0 votes
1 answer

Trusting all certificates using HttpClient over HTTPS

Note: Do not implement this in production ...READ MORE

answered Jun 25, 2018 in Java by Rishabh
• 3,540 points
1,313 views
0 votes
1 answer

How to specify the certificate to use for authenticating the server to client?

You can try the command given below. System.setProperty("javax.net. ...READ MORE

answered Jan 2 in Java by Daisy
• 8,050 points
30 views
0 votes
0 answers

pass datasource for job to AWS Glue client in JAVA

How can i mention datasource for AWS ...READ MORE

2 days ago in Java by cheshta
• 120 points
4 views
+1 vote
3 answers

What is the syntax to declare and initialize an array in java?

You can use this method: String[] strs = ...READ MORE

answered Jul 25, 2018 in Java by samarth295
• 2,190 points
563 views
0 votes
1 answer

Unable to find valid certification path to requested target - error even after cert imported

Unfortunately - it could be many things ...READ MORE

answered Nov 27, 2018 in Java by Daisy
• 8,050 points
1,288 views
0 votes
1 answer

Unable to find valid certification path to requested target

The problem appears when your server has ...READ MORE

answered Dec 12, 2018 in Java by Daisy
• 8,050 points
270 views
+2 votes
1 answer

How to import an existing x509 certificate and private key in Java keystore to use in SSL?

keytool does not provide such basic functionality ...READ MORE

answered Dec 19, 2018 in Java by Daisy
• 8,050 points
339 views
+5 votes
3 answers

How to execute a python file with few arguments in java?

You can use Java Runtime.exec() to run python script, ...READ MORE

answered Mar 27, 2018 in Java by DragonLord999
• 8,380 points

edited Nov 6, 2018 by Omkar 10,047 views
0 votes
3 answers

String to Double conversion in java

Double temp = Double.valueOf(str); number = temp.doubleValue(); READ MORE

answered Sep 10, 2018 in Java by Sushmita
• 6,880 points
54 views
0 votes
4 answers

Remove extra spaces from string in java

import java.util.regex.Matcher; import java.util.regex.Pattern; String pattern="[\\s]"; String replace=""; part="name=john age=13 year=2001"; Pattern ...READ MORE

answered Sep 10, 2018 in Java by parth295
• 4,640 points
110 views