SSL Client certificate


M

Mike Baroukh

Hi.

I must connect to an ssl Server using a client certificate.
Of course, if I ask you for help, it's that it didn't work.
So, here is how I done. Could somebody point me on the wrong step ?
Thanks in advance ...

1/ First, I created a key :

keytool -genkey -keyalg rsa -keystore storefile -storepass storepass
-alias mykey

2/ I created a certificate request

keytool -certreq -keystore storefile -storepass storepass -alias mykey
-file mykey.csr

3/ I send the generated file wich contains

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBiDCB8gIBADBJMQswCQYDVQQGEwJGUjEKMAgGA1UECBMBRTEKMAgGA1UEBxMBRDEKMAgGA1UE
ChMBQzEKMAgGA1UECxMBQjEKMAgGA1UEAxMBQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
qfU4WrHE1QuUCR2yvAnzNEDUWqJgWxwpKjR1gkTA/D1tL4ftAmkzQ1YIdVwCp1u8sjhR2mkjnOIt
rp9jsuJ2/skqRjjv9GwUxrR3KBhxcBUeBFnypkbXbu3N9vbuIheaYfRIJdfqXO/BhVtBf9+tyito
WvAJuj5WqtiAWK4hvJECAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GBAHEjlA8CVt697VlHI7uW2Cqm
mnGv5IsFIi+b8gtXHuL8RnZkcUf4mlyyt/MTutHI9mL4be18J7jMWL7gp/DLhf/7629sGAxlk6jK
cHp1brpEygaTox1tvnooOQL0axvUWP5aMSFYS1eM9FVL7rJXj4LtywAh5ZRcPCF1SlIQocRx
-----END NEW CERTIFICATE REQUEST-----

to the webmaster of the site I have to connect to.

4/ He send my back a crt I imported

keytool -import -keystore storefile -storepass storepass -alias
mykey-crt -file mykey.crt

5/ I try to connect :

System.setProperty("javax.net.ssl.trustStore","~/storefile");
System.setProperty("javax.net.ssl.keyStore","~/storefile");
System.setProperty("javax.net.ssl.keyStorePassword","mykey6");
System.setProperty("javax.net.debug", "ssl,keymanager");

URL u = new URL("https://<url>");
URLConnection c = u.openConnection();
InputStream i = c.getInputStream();
BufferedReader reader = new BufferedReader(new InputStreamReader(i));
String ligne;
while ((ligne = reader.readLine()) != null) {
System.out.println(ligne.trim());
}
i.close();

result :
java.io.IOException: Server returned HTTP response code: 403 for URL:
https://<url>
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1149)
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
at x509.Elvia.main(Elvia.java:23)

I tried to separate truststore and keystore, having only the crt in
keystore but nothing works.

Do I use the right method ?
I don't understand why I don't I don't just send a public key to the
webmaster ...

Mike
 
Ad

Advertisements

E

EJP

Mike said:
5/ I try to connect :

System.setProperty("javax.net.ssl.trustStore","~/storefile");
System.setProperty("javax.net.ssl.keyStore","~/storefile");

Java doesn't understand "~".

The keypair and the signed certificate must be in the keystore. That's a
*source* of authentication certificates. The truststore is where you
check *incoming* certificates. Very different functions.

Apart from the above your process was OK.
 

Top