Java Client Certificate over HTTPS SSL

0 votes

I am using Java 6 and am trying to create an HttpsURLConnection against a remote server, using a client certificate.
The server is using an selfsigned root certificate, and requires that a password-protected client certificate is presented. I've added the server root certificate and the client certificate to a default java keystore which I found in /System/Library/Frameworks/JavaVM.framework/Versions/1.6.0/Home/lib/security/cacerts(OSX 10.5). The name of the keystore file seems to suggest that the client certificate is not supposed to go in there?

Anyway, adding the root certificate to this store solved the infamous javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed' problem.

However, I'm now stuck on how to use the client certificate. I've tried two approaches and neither gets me anywhere.
First, and preferred, try:

SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
URL url = new URL("https://somehost.dk:3049");
HttpsURLConnection conn = (HttpsURLConnection)url.openConnection();
conn.setSSLSocketFactory(sslsocketfactory);
InputStream inputstream = conn.getInputStream();
// The last line fails, and gives:
// javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

I've tried skipping the HttpsURLConnection class (not ideal since I want to talk HTTP with the server), and do this instead:

SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
SSLSocket sslsocket = (SSLSocket) sslsocketfactory.createSocket("somehost.dk", 3049);
InputStream inputstream = sslsocket.getInputStream();
// do anything with the inputstream results in:
// java.net.SocketTimeoutException: Read timed out

I am not even sure that the client certificate is the problem here.

Nov 28, 2018 in Java by Daisy
 • 8,120 points 6,272 views

1 answer to this question.

0 votes

The missing links was (mostly) the first of the parameters below, and to some extent that I overlooked the difference between keystores and truststores.

The self-signed server certificate must be imported into a truststore:

keytool -import -alias gridserver -file gridserver.crt -storepass $PASS -keystore gridserver.keystore

These properties need to be set (either on the commandline, or in code):

-Djavax.net.ssl.keyStoreType=pkcs12
-Djavax.net.ssl.trustStoreType=jks
-Djavax.net.ssl.keyStore=clientcertificate.p12
-Djavax.net.ssl.trustStore=gridserver.keystore
-Djavax.net.debug=ssl # very verbose debug
-Djavax.net.ssl.keyStorePassword=$PASS
-Djavax.net.ssl.trustStorePassword=$PASS

Working example code:

SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
URL url = new URL("https://gridserver:3049/cgi-bin/ls.py");
HttpsURLConnection conn = (HttpsURLConnection)url.openConnection();
conn.setSSLSocketFactory(sslsocketfactory);
InputStream inputstream = conn.getInputStream();
InputStreamReader inputstreamreader = new InputStreamReader(inputstream);
BufferedReader bufferedreader = new BufferedReader(inputstreamreader);

String string = null;
while ((string = bufferedreader.readLine()) != null) {
    System.out.println("Received " + string);
}
answered Nov 28, 2018 by Sushmita
 • 6,910 points

Related Questions In Java

0 votes
1 answer

Trusting all certificates using HttpClient over HTTPS

Note: Do not implement this in production ...READ MORE

answered Jun 25, 2018 in Java by Rishabh
 • 3,620 points 11,015 views
0 votes
1 answer

How to specify the certificate to use for authenticating the server to client?

You can try the command given below. System.setProperty("javax.net ...READ MORE

answered Jan 2, 2019 in Java by Daisy
 • 8,120 points 1,099 views
0 votes
0 answers

pass datasource for job to AWS Glue client in JAVA

How can i mention datasource for AWS ...READ MORE

Nov 10, 2019 in Java by cheshta
 • 120 points 652 views
0 votes
1 answer

When to use LinkedList over ArrayList in Java?

LinkedList and ArrayList are two different implementations of the List ...READ MORE

answered Dec 21, 2020 in Java by Gitika
 • 65,910 points 1,667 views
0 votes
1 answer

Unable to find valid certification path to requested target - error even after cert imported

Unfortunately - it could be many things ...READ MORE

answered Nov 27, 2018 in Java by Daisy
 • 8,120 points 4,397 views
0 votes
2 answers

Unable to find valid certification path to requested target

Unfortunately - it could be many things ...READ MORE

answered Dec 15, 2020 in Java by Roshni
 • 10,520 points 41,874 views
+2 votes
1 answer

How to import an existing x509 certificate and private key in Java keystore to use in SSL?

keytool does not provide such basic functionality ...READ MORE

answered Dec 19, 2018 in Java by Daisy
 • 8,120 points 2,399 views
0 votes
0 answers

Javamail Could not convert socket to TLS GMail

I want to send an email using ...READ MORE

May 2, 2022 in Java by Kichu
 • 19,050 points 2,620 views
0 votes
3 answers

String to Double conversion in java

Double temp = Double.valueOf(str); number = temp.doubleValue(); READ MORE

answered Sep 10, 2018 in Java by Sushmita
 • 6,910 points 1,341 views
0 votes
4 answers

Remove extra spaces from string in java

import java.util.regex.Matcher; import java.util.regex.Pattern; String pattern="[\\s]"; String replace=""; part="name=john age=13 year=2001"; Pattern ...READ MORE

answered Sep 10, 2018 in Java by Parth
 • 4,630 points 2,690 views
webinar REGISTER FOR FREE WEBINAR X
REGISTER NOW
webinar_success Thank you for registering Join Edureka Meetup community for 100+ Free Webinars each month JOIN MEETUP GROUP
"PMP®","PMI®", "PMI-ACP®" and "PMBOK®" are registered marks of the Project Management Institute, Inc. MongoDB®, Mongo and the leaf logo are the registered trademarks of MongoDB, Inc.