I'd like to be able to connect to an https site that requires a personal certificate from a smart card for authentication. I think I'm very close to having it work, but not sure how to get past this exception:
javax.net.ssl.SSLHandshakeException: Recieved fatal alert: unknown_ca
I'm not able to share my code because of contract, but here's a summary:
I created a keystore that contains all certificates that I exported out of my browser. I use this keystore as the truststore for the SSLContext. I'm pretty certain this keystore contains the correct CA certificates to verify the remote site's cert because it fixes the "unable to find valid certification path to requested target" exception.
I can programmatically create a keystore using the smart card reader as a provider similar to technique described here: Common Access Card (CAC) Authentication Using Java. The keystore created from the smart card contains my personal certificates. When I use that as the keystore for the SSLContext, this resolves the error message: "Received fatal alert: handshake_failure".
So, it seems I'm getting closer! But the most recent stacktrace I'm seeing is:
javax.net.ssl.SSLHandshakeException: Recieved fatal alert: unknown_ca
I added the jvm flag -Djavax.net.debug=ssl and I am seeing good ssl debug info, but not sure how to read the debug trace to figure out which ca is unkown?
One question: The truststore keystore contains all the CA certs. However the keystore created from smart card does not contain any of the CA certs (it only contains the personal certs found on smart card). Maybe I need to add CA's to the keystore?
Andy other suggestions/thoughts about what I might be missing and/or how to interpret ssl debug output?
