How do I load a signed client certificate into a keystore
Hello
Im getting:
[24/Jul/2001 12:50:18 01835] [error] OpenSSL: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate [Hint: No CAs known to server for verification?]
when I try to connect to a server requiring client certificates. The client java program doesn't seem to send the actual certificate. I'm using the included SSLSocketClientWithClientAuth.java code and I am not sure how to add the signed client certificate to the 'testkeys' keystore. Assuming my server certificate file is called server.cert and the server certificate key file is called server.key, can anyone tell me how to generate and add a signed client certificate into the keystore which will actually get used. I've been banging my head off the wall for a couple of days now with this - all help appreciated greatly.
David
[Sorry for posting this in 2 places but I didnt notice this forum until after i'd already posted the other one]
[1002 byte] By [
vitamin] at [2007-9-26 1:39:35]
I should also add that the snippet of log file came from the ssl_engine_log on the https server side. I have added the certificate for the server to the cacerts keystore and so all the early certificate verification (ie client verification of server cert) gets done ok.
The actual stacktrace on the client side when it fails is:
java.net.SocketException: Connection aborted by peer: socket write error
at java.net.SocketOutputStream.socketWrite(Native Method)
at java.net.SocketOutputStream.write(SocketOutputStream.java:83)
at com.sun.net.ssl.internal.ssl.OutputRecord.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.HandshakeOutStream.flush([DashoPro-V1.2-
120198])
at com.sun.net.ssl.internal.ssl.Handshaker.sendChangeCipherSpec([DashoPr
o-V1.2-120198])
at com.sun.net.ssl.internal.ssl.ClientHandshaker.e([DashoPro-V1.2-120198
])
at com.sun.net.ssl.internal.ssl.ClientHandshaker.a([DashoPro-V1.2-120198
])
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage([DashoPr
o-V1.2-120198])
at com.sun.net.ssl.internal.ssl.Handshaker.process_record([DashoPro-V1.2
-120198])
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.AppOutputStream.write([DashoPro-V1.2-120
198])
at java.io.OutputStream.write(OutputStream.java:61)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake([DashoPro-V
1.2-120198])
at SSLSocketClientWithClientAuth.main(SSLSocketClientWithClientAuth.java
:129)
if it is of help.
Thanks
David
Hurray!
Finally managed to get it working, and you know what i'm actually going to write here how I did it so it'll be here for future reference.
Basically I found a really good document on the web with the steps outlined which when followed get the whole setup going properly:
http://www.ddj.com/articles/2001/0102/0102a/0102a.htm
Got the SSLSocketClientWithClientAuth.java code requesting a page on a certificate required server and getting the page contents back.
My problem appears to have been that I wasnt signing the client certificates properly for the keystore (I knew that anyway - there were no properly signed certificates and thats why it fell over every time it got to the stage of the negotiation to pass over its client certificate and the ssl error log was saying "no valid client certificates" or whatever it was).
David
Can I claim back my duke dollars for answering my own question :-) ?[I know a lot of people out there are going to be thankful for that response!]
To complete this good article to create a keystore with the certificates, 2 notes :
1) You have to use (at least) JDK1.3
because a keystore created by keytool_JDK1.2.2 (for example) doesn't work : you can create the keystore and put the certificates into it but the handshake fails in searching the certificates...
With jdk1.3.1, it works.
2) When creating a public key and have to be certified by the CA, as article of ddj says :
you 1st create a new certificate request with keytool : keytool -keystore testkeys -certreq -alias client -file client.crs
after this, sign this key with a CA :
openssl ca -config /etc/openssl.cnf -in client.crs -out client.crs.pem -keyfile ca.key
convert it into DER format :
openssl x509 -in client.crs.pem -out client.crs.der -outform DER
and import signed client key into keystore :
keytool -keystore testkeys -alias client -import -file client.crs.der
What I want to underline is the first step :
You have to create the CRS file with keytool (and not openssl), otherwise, the signed key imported into keystore is not recognised in the handshake.
I wanted to underline this point because :
if you create the CRS file with openssl, signed the key with the CA certificate, and use the crs.der file as a signed/certified key,
this works with a C client,
but this fails in a Java client.
A last remark :
the direct link to Doctor Dobb's article is :
http://www.ddj.com/documents/s=870/ddj0102a/0102a.htm
yoyoF at 2007-6-29 2:28:53 >
I am not a security expert by any means- I have a couple of questions- 1.regarding CA signing. Are'nt CA's only organizations like Verisign etc. So in this case who is this signer?
Also why can't you use self signed certificates for testing purposes etc?
TIA
Sanjay
Hi sbahal ,
Why do you make the people frustrated so that not to use Third Party Certificates.
Without Third Party Certificates there is no gaurantee that your data over secure communication is secured, so pl have a look at the documents based on PKI over the internet.
It is ok for testing with self signed certificates, but the real maaza is with the third party certificates ok.
bye,
Srinivas
Hi Sanjay,
CA's are not only organizations like Verisign, etc...
CA's are organizations in which you trust and this articles are not only for testing purposes.
In my case, I develop a product for my company and the clients who want to use this product have to trust my company. But, in this case, they don't have to pay a signer like Verisign because if they trust us, it costs nothing.
bye,
Yoyo
yoyoF at 2007-6-29 2:28:53 >
a precision/correction about :
"You have to create the CRS file with keytool (and not openssl), otherwise, the signed key imported into keystore is not recognised in the handshake.
...
if you create the CRS file with openssl, signed the key with the CA certificate, and use the crs.der file as a signed/certified key,
...
this fails in a Java client."
If you have a certificate (created by anyone, for example toto.crt created via openssl), you can import it in the keystore with the option -noprompt.
==>keytool -keystore testkeys -alias client -import -noprompt -file toto.crt
And like this, the handshaking is OK :-)
yoyoF at 2007-6-29 2:28:53 >
