0

I am having trouble connecting to a secure site using a Java program. I have imported 3 certificates given from the server that I will be connecting to; public, inter and root certificate. I have properly imported the 3 certs to the java cacerts. And also specified in calling the Java class with the following parameters:

java -Djavax.net.debug=ssl
Djavax.net.ssl.keystore=JAVACACERTS -Djavax.net.ssl.keystorePassword=changeit -server -cp $CLASSPTH -Xmx500m SendOrderResponse

However, I'm getting a "bad_certificate" error. I looked at the details of the logs and it seems like the root certificate is not in the certificate chain.

Any idea why it happened? when I have imported the 3 certs in the Java cacerts? I assume that the bad certificate was thrown because of the certificate chain error.

ring bearer
  • 20,383
  • 7
  • 59
  • 72
user981905
  • 1
  • 1
  • 1
  • 1

3 Answers3

8

I suggest you run:

openssl s_client -connect remoteserver:443

Assuming the remote server requires or requests client certificate authentication, it should send you a list of acceptable CAs.

You should send a certificate ultimately signed by one of these CAs. The ssl specification does not require that you send the CA, however you should send the certificate and the full intermediate chain to that CA. My experience is that two CA certificates may look extremely similar to each other. The move to 2048 bits has not helped in this regard. Double check.

As a side note, your client received the bad certificate alert. The problem lies with the certificates your client is sending, not the validation of the server certificates.

(Edit) Did I mention that the certificates you send must be valid ? in particular,

  • non expired end date and sensible start date
  • a CN which matches the public DNS server name of the machine your are connecting from: the server may be performing a reverse DNS lookup on the client IP and matching it to the CN of the sent certificate.
tshepang
  • 12,111
  • 21
  • 91
  • 136
Bruno Grieder
  • 28,128
  • 8
  • 69
  • 101
1

It looks like you're not using client-certificates.

In this case, don't set the javax.net.ssl.keystore parameters in your client application. Importing only the root (and perhaps intermediate) certificates in your truststore (cacerts by default) should be sufficient too.

More details about keystore/truststore in this answer: https://stackoverflow.com/a/6341566/372643

Community
  • 1
  • 1
Bruno
  • 119,590
  • 31
  • 270
  • 376
  • Hi @Bruno, thanks for the info. I have tried what you've said, removed the javax.net.ssl.keystore parameter in my client application and only imported the root, tried as well with the intermediate certificates in javacacerts, but i'm still getting bad_certificate error. – user981905 Dec 14 '11 at 02:10
  • by the way I have also tried using `openssl s_connect -connect SERVERHOST:443` and it returned following error below: `CONNECTED(00000003) depth=1 /C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C verify error:num=20:unable to get local issuer certificate verify return:0 3110:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt.c:1052:SSL alert number 42 3110:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226:` – user981905 Dec 14 '11 at 02:13
  • 1
    The OpenSSL error you're getting is normal: it doesn't have a list of trusted certificates by default, you should check its `-CApath`/`-CAfile` options. – Bruno Dec 14 '11 at 02:18
-3

If you have imported the certificates than try this 

Set PATH=<YOUR JRE/BIN>;%PATH%

and than run your java client

rbhawsar
  • 805
  • 7
  • 25