Home.... | log in.... | Pub my question! | Sign-up....
Java-index >> Core >> Core APIs

Help in using client certificate authentication

Hello all,

I have been working on a problem for quite some time now with no luck.I am writing a client to a web service from an outside vendor. The vendor is a certificate authority, although a non-standard one for sure, and they supply certificates for many applications in my industry. Unfortunately, they're a .NET shop though, and they are not able to help with the implementation of their certificates on the Java side at all.

I finally found some classes that I thought would help me out in org.apache.commons.httpclient.contrib.ssl.AuthSSLProtocolSocketFactory. I implemented my SSL protocol which should implement the client side certificates using the factory and from there created my HTTPClient object.

I imported certificates into my truststore and keystore using the keytool.Before I got the truststore working, I had issues with the connection not happening, but now I am getting a 200 response that my authentication failed, so I am pretty sure it's the keystore that's to blame.

When I get to the part where it is setting up the KeyManager in the code, it attempts to get the certificate chain for each of the aliases in the keystore I provided, but the certificate chain is always null. (However, if I send the same file when setting up the truststore, it DOES find a certificate chain. What's up with that?)

So then I was thinking that perhaps I needed to use something like PKCS#12 to export the client certificate so that it would have all the certificates in the chain, as well as the public and private keys. But when I do that, I can't import it into the keystore because it's not an X509 certificate. (I also tried converting it from PKCS#12 to DER to see if the chain would come along, but no such luck.)

I would have thought this would be a pretty common thing to want to do, but I'm just not finding much through google searches. Does anyone have any insight on what else I need to do through keytool or other libraries that would help?

Thanks in advance,

Jennifer

Message was edited by:

jennford

[2099 byte] By [jennforda] at [2007-11-27 8:48:01]
«« Reading a text file
»» Solaris 10 on SuperMicro H8SSL-i ... chipset Q
# 1

I also tried importing the root certificate because I thought that might be the issue since the CA is non-standard. I went into the Certificates listing under IE and went to the 'TrustedRootCertificationAuthorities' and tried exporting their Root Certificate to a file (I tried both DER and Base-64), and the keytool claims that it is not an X509 certificate.

Is that because:

a) keytool isn't working or isn't giving an appropriate error message?

b) IE is no good at exporting root certificates?

c) root certificates don't need to be added to the keystore?

jennforda at 2007-7-12 20:54:11 > top of Java-index,Core,Core APIs...
# 2
If you got to the 200 stage it means the handshake worked and the SSL connection is completely up. You are now in the land of java.net.Authenticator.
ejpa at 2007-7-12 20:54:11 > top of Java-index,Core,Core APIs...
Core
Core APIs

Core Hot Topic

Core

All Classified