File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Security and the fly likes Openssl equivalent in Java Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Customer Requirements for Developers this week in the Jobs Discussion forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Openssl equivalent in Java" Watch "Openssl equivalent in Java" New topic

Openssl equivalent in Java

Michael Arnett
Ranch Hand

Joined: Mar 22, 2001
Posts: 65
Hi all,
I was hoping someone could help me out. I have two quesitons. First, OpenSSL includes a test client s_client. This client will connect to a SSL server and verify that client auth is happening correctly. This client accepts a client cert file and a client private key file as parameters. I was wondering if it was possible to perform a similar execution in Java? I am aware of concatenating the private key and client cert, but it seems it would be more elegant to be able to specify a client cert and a private key without creating a concatenated file.
The second question is how does one recreate the CA chain if given a root ca, a subordinate ca, and a client cert all in separate PEM files. I would like to create a pkcs12 file that contains a client private key- client certificate pair but instead of just having a single cert, have all three of the aforementioned certs.
Thanks in advance for any insight,

Sun Certified Programmer for the Java 2 Platform 1.4
Michael Arnett
Ranch Hand

Joined: Mar 22, 2001
Posts: 65
Ok, I found the answer to the second portion of my question; so I thought I would post it.
1. Assume that you have a client cert in PEM format called client.pem.crt.
2. Assume that you have a CA root cert also in PEM format called cacert.pem.crt.
3. Assume that you have a client private key in PEM format called client.pem.privkey.
4. First, verify that the client cert was signed by the cacert.pem.crt file. Execute:
openssl verify -CAfile C:\test\cacert.pem.crt client.pem.crt
client.pem.crt: OK
5. If the response is ok, then proceed by combining the client private key and client cert into a single pkcs12 file which includes the CA Chain from the cacert.pem.crt file. Execute:
openssl pkcs12 -export -chain -CAfile C:\test\cacert.pem.crt -in client.pem.crt -inkey client.pem.privkey -out client_caChain.p12
Thats all there is to it. If you want to import this pkcs12 file into a jks file (Java KeyStore), just use the jdk keytool utility or better yet the handy KeytoolGUI utility (
Hope someone else can use this info.
Pankaj Kr
Ranch Hand

Joined: Sep 09, 2003
Posts: 80
Check out ssltool utility of JSTK for a Java equivalent of OpenSSL's s_client.

Pankaj Kumar
Home - WebLog - J2EE Security
I agree. Here's the link:
subject: Openssl equivalent in Java
It's not a secret anymore!