Hi all, I was hoping someone could help me out. I have two quesitons. First, OpenSSL includes a test client s_client. This client will connect to a SSL server and verify that client auth is happening correctly. This client accepts a client cert file and a client private key file as parameters. I was wondering if it was possible to perform a similar execution in Java? I am aware of concatenating the private key and client cert, but it seems it would be more elegant to be able to specify a client cert and a private key without creating a concatenated file. The second question is how does one recreate the CA chain if given a root ca, a subordinate ca, and a client cert all in separate PEM files. I would like to create a pkcs12 file that contains a client private key- client certificate pair but instead of just having a single cert, have all three of the aforementioned certs. Thanks in advance for any insight, -MLA
Sun Certified Programmer for the Java 2 Platform 1.4
Joined: Mar 22, 2001
Ok, I found the answer to the second portion of my question; so I thought I would post it. 1. Assume that you have a client cert in PEM format called client.pem.crt. 2. Assume that you have a CA root cert also in PEM format called cacert.pem.crt. 3. Assume that you have a client private key in PEM format called client.pem.privkey. 4. First, verify that the client cert was signed by the cacert.pem.crt file. Execute: openssl verify -CAfile C:\test\cacert.pem.crt client.pem.crt Response: client.pem.crt: OK 5. If the response is ok, then proceed by combining the client private key and client cert into a single pkcs12 file which includes the CA Chain from the cacert.pem.crt file. Execute: openssl pkcs12 -export -chain -CAfile C:\test\cacert.pem.crt -in client.pem.crt -inkey client.pem.privkey -out client_caChain.p12 Thats all there is to it. If you want to import this pkcs12 file into a jks file (Java KeyStore), just use the jdk keytool utility or better yet the handy KeytoolGUI utility (http://www.waynegrant.info/keytool.html). Hope someone else can use this info. -MLA
Joined: Sep 09, 2003
Check out ssltool utility of JSTK for a Java equivalent of OpenSSL's s_client.