I have a .cer self-signed certificate using which I need to make a GET/POST Request to a Webservice in JAVA. I'm totally new to this concept. I have googled a lot about how to do this, but nothing helped me. While doing this, I came across java keystore & truststore & I guess this can be used to accomplish my task. Can someone be kind enough to help me understand how java Keystore works. Please suggest if there is some other way to do this. Any kind of help is appreciated. Thanks in advance.
-
1http://stackoverflow.com/questions/1666052/java-https-client-certificate-authentication?noredirect=1&lq=1 – Feb 25 '17 at 14:37
-
https://www.mkyong.com/java/java-https-client-httpsurlconnection-example/ – Feb 25 '17 at 14:38
-
http://stackoverflow.com/questions/10968708/java-simple-get-request-using-ssl-certificate-and-https – Feb 25 '17 at 14:38
-
http://alvinalexander.com/blog/post/java/simple-https-example – Feb 25 '17 at 14:38
-
https://www.ibm.com/support/knowledgecenter/SSZJPZ_8.7.0/com.ibm.swg.im.iis.ia.restapi.doc/topics/r_restapi_sending_https_java.html – Feb 25 '17 at 14:39
1 Answers
Basically, a keystore is "place" (usually a file) where you can put digital certificates and its corresponding private keys (you'll have the private key only if you're the owner of the certificate - that's a simplified explanation, but I think it's good enough for now)
When you get/post to a https URL, it means that the server you're accessing has its own digital certificate. And to successfully access it, you need to trust that certificate. In java you can do it by creating a keystore that contains the certificate and the corresponding chain (each certificate is signed by some other entity who also has a certificate, or it's self signed. So you get the certificate who signed it, the certificate who signed the signer, and so on, until you get to a self signed one, and all of these certificates are the chain - you need to put all the chain certificates inside the keystore) This specific keystore is called truststore (the store that contains all trusted certificates).
The self signed certificate that you have is the service's certificate? If so, just create a keystore with it and set it as your trust store.
How to create a keystore: https://docs.oracle.com/cd/E19509-01/820-3503/ggfen/index.html (or search examples for the Keystore class)
How to set trust store: java SSL and cert keystore

- 1
- 1
-
Thanks much for your informative answer. The certificate I have is for client authentication. Many clients would be calling the webservice & should get themselves authenticated when they do so. So in this case, where & how should I add my certificate such that the communication is successful and I get a response from webservice – Kavitha Feb 26 '17 at 09:25
-
The client certificate must be in a different keystore and set in another property (check http://stackoverflow.com/questions/5871279/java-ssl-and-cert-keystore/5871352#5871352, it's javax.net.ssl.keyStore and javax.net.ssl.keyStorePassword). But you also need the private key, otherwise client authentication won't work – Feb 26 '17 at 09:57
-
Thnks again. What I understand now is that I only have public key & certificate(in .cer format). I dont own the certificate. The company where I work gave it. But when I call the webservice manually using this .cer file, I am able to access it.Ive imported certificate to the personal store of chrome&use Postman extension to send request.How does the client authentication work here without the private key?So as per your reply I would need Private key to automate in java.I will have to ask for it from the owner. I believe i will get it,but that is just not right practice. Pls suggest something! – Kavitha Feb 26 '17 at 13:07
-
If it works without the private key, so the service doesn't require client authentication – Feb 26 '17 at 13:34
-
Thnx Hugo. I've managed to get through the SSL Validation part successfully. But now the service returns 401 Unauthorized for the url Im trying to access. I get a 200 OK response when I acess the root directory of webservice. Can you please tell me why this is happening? – Kavitha Mar 05 '17 at 14:13
-
I suggest checking the service logs (or the team responsible for the service) to know why it's refusing your access – Mar 05 '17 at 14:26