SSL Connection from Java client

Question

Hello everyone. I'm creating a Java client program that will be sending sensitive information to a Tomcat server. So I need to use SSL Connection so information will be encrypted.

I need to use self-signed untrusted certificate but having problems making connection from java client.

I have successfully setup Tomcat 5.5 to use SSL and tested it through Firefox, which displays warning of self-signed certificate.

I followed the Tomcat 5.5 SSL setup and they mentioned to create a keystore:

keytool -genkey -alias tomcat -keyalg RSA

Then I did an export of the above:

keytool -export -keystore .keystore -alias tomcat -file localhost.cer

Then I did an import of the above certificate into client machine:

keytool -import -alias tomcat -file localhost.cer -keystore "C:\Program Files"\Java\jdk1.6.0_17\jre\lib\security\cacerts"

But when running client I get:

Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

This is the client code:

URL url = new URL("https://localhost:8443");
HttpsURLConnection conn = (HttpsURLConnection)url.openConnection();
conn.setSSLSocketFactory(sslsocketfactory);
InputStream inputstream = conn.getInputStream();

Now I just started playing with these certificates today and I'm new to keystores, so please be patient.

Can someone please explain how to export and import the certificate created in Tomcat to client machine?

Thank you.

Answer 1

Atlassian has good instructions on how to fix this.

http://confluence.atlassian.com/display/JIRA/Connecting+to+SSL+services

Another approach is to install less unforgiving certificate validators, but that should only be done as a last resort.

Answer 2

Use Apache HTTP Cleint jar and follow this SSL Guide.

EasySSLProtocolSocketFactory can be used to create SSL connections that allow the target server to authenticate with a self-signed certificate.

Answer 3

Owner: CN=localhost,.....
Issuer: CN=localhost,....
Serial number: 4b736566 Valid from: Wed Feb 10 21:03:18 EST 2010 until: Tue May 11 22:03:18 EDT 2010 Certificate fingerprints: MD5: 8E:56:AF:94:2E:C7:14:35:F4:6A:8D:05:EF:77:B9:17 SHA1: 2C:E9:88:32:D8:05:3D:50:57:B3:C1:A7:0C:A7:41:21:17:52:E3:E3 Signature algorithm name: SHA1withRSA Version: 3 Trust this certificate? [no]: yes Certificate was added to keystore

The keystore is located at - C:\Program Files\Java\jdk1.6.0_17\jre\lib\security\cacerts

When I run the client once again I still get: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

So I added this to my code:

System.setProperty("javax.net.ssl.trustStore","C:\\Program Files\\Java\\jdk1.6.0_17\\jre\\lib\\security\\cacerts");
System.setProperty("javax.net.ssl.trustStore","changeit");

And now I get this error:

java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:183) at java.security.cert.PKIXParameters.(PKIXParameters.java:103) at java.security.cert.PKIXBuilderParameters.(PKIXBuilderParameters.java:87) at sun.security.validator.PKIXValidator.(PKIXValidator.java:57)

Any clues by anyone would be greatly appreciated.