All geek questions in one place

JAVA - SSL - Client Certificates

I am developing a WS client using JAVA and I have a problem with SSL authentication. WSs are created in WCF, and I do not have access to the server, they work through HTTPS and use a client certificate, which must be installed on the client first. The guys from the server sent me a PFX certificate that I successfully installed on the OS (I use OS X), and I could access WS through a browser (Safari or FF are the ones I tried that previously could not access WS). I thought that any application in the OS would use these certificates, but when I tried my JAVA application, it did not work; First, the following error was selected:

"javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: could not create PKIX path: sun.security.provider.certpath.SunCertPathBuilderException: could not find a valid certification path for the requested target

I solved this by exporting the certificate to a CER file and using the keytool command-line tool to add the certificate to the "cacerts" keyStore JAVA. But after this error disappeared, the following appeared: "403, prohibited." This is obvious due to the fact that he does not use an SSL client certificate for the site, but I could not find a way to send it to him. Any help would be appreciated.

The following is the code I'm using to publish to WS:

URL url = new URL(p_url); HttpsURLConnection conn = (HttpsURLConnection) url.openConnection(); conn.setDoOutput(true); conn.setRequestMethod("POST"); conn.setRequestProperty("Content-Type", contentType); OutputStream out = conn.getOutputStream(); // on this line it shows the error
+4
source share
3 answers

You can create a specific SSLContext (using a KeyManager initialized with a keystore containing your client certificate + private key) from which you get the SSLSocketFactory that you installed in your HttpsURLConnection , or use the global settings.

You can set the following system properties (for global settings):

  • javax.net.ssl.keyStore=path/to/keystore.pfx
  • javax.net.ssl.keyStoreType=PKCS12
  • javax.net.ssl.keyStorePassword=xxxxxxxxx

Alternatively, you can create your own KeyManagerFactory / KeyManager as described in this answer .

Since you imported the server certificate into cacerts , use null for the TrustManager[] argument of SSLContext.init() (it will get the default values).

In addition, since you are on OSX, you can directly use KeychainStore . To do this, use ....keyStore=NONE , keyStoreType=KeychainStore and keyStorePassword=- (any password will be made, since access to the key will be granted when you need it from the OS). Although I'm not sure if this works on a lion. Please note that it may fail if your store has more than one certificate + private key (see this problem ).

+4
source

It looks like you probably need to set up your own SSL SocketFactory,

 http://vafer.org/blog/20061010073725/

I think things have gotten better since 2006, so you just need to specify a bunch of properties on the command line:

 http://stackoverflow.com/questions/875467/java-client-certificates-over-https-ssl
0
source

You need to download the keystore that they will send to you in your Java application.
You can load it as a file from the file system into a Keystore object and use it. Read this example and especially the part about the KeyManager ie createKeyManagers .

Another option is to load the keystore from windows. Read about Windows-MY Provider

0
source

Source: https://habr.com/ru/post/1392147/

More articles:


All Articles