2

As a client I want to create a TLS1.2 connection to a URL (SOAP Endpoint) in Java.

I have been provided with a PFX file and a password for that file.

I am not sure whether I need to import the PFX file into the truststore or a keystore and how to do this?

What does the code look like to create the connection?

This question is similar but doesn't address how to get the pfx file into the java key system:

Java HttpsURLConnection and TLS 1.2

I did successfully manage to run:

keytool -importkeystore -srckeystore client.pfx -srcstorestype pkcs12 
-destkeystore clientcert.jks -deststoretype jks

Which has made a clientcert.jks

Ultimately I will be doing mutual TLS with the server, but as a starting point answers to these question will be helpful.

I have the server certificate too.

Community
  • 1
  • 1
Doug Greaney
  • 181
  • 3
  • 17
  • So you've got your keystore ready. Why you converted from PKCS#12 to the Java key store type is unclear to me (Java is gravitating towards using PKCS#12 as default anyway). Now you have to setup your truststore, unless the server certificate is already trusted because it has been issued by an existing trusted CA. So go and configure your connection already. – Maarten Bodewes Dec 02 '16 at 01:24
  • So I add the server certificate to the trust store? What does the code look like for the client certificate? – Doug Greaney Dec 02 '16 at 02:53
  • I have managed to add the public certificate from the pfx to the cacerts file with this answer: http://stackoverflow.com/questions/15964797/unable-to-import-p12-certificate-to-cacerts Now I need a code snippet to show me how to use URLConnection with this cert to connect to the URL. I assume I also need to download the public key file from the website to use mtls on the website. – Doug Greaney Dec 02 '16 at 18:35
  • You can directly use PKCS#12 as `KeyStore` instance by loading it, this is to authenticate yourself with your cert & private key. You also need a truststore (also a `KeyStore` instance) to be able to verify the certificate of the server. The same `KeyStore` instance can fulfill the role of keystore and truststore, but separate instances may also be used. It then becomes a question to configure the JSSE implementation with both stores and to enable client authentication. There should however be quite a few examples to do this on the internet. – Maarten Bodewes Dec 02 '16 at 18:41

1 Answers1

0

If you are past loading the keystore, you can look at this article which describes how to set the SSL context on the URL connection.

Community
  • 1
  • 1
Dave G
  • 9,639
  • 36
  • 41