Meaningless Drivel is fun!
The moose likes Security and the fly likes Openssl equivalent in Java Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "Openssl equivalent in Java" Watch "Openssl equivalent in Java" New topic

Openssl equivalent in Java

Michael Arnett
Ranch Hand

Joined: Mar 22, 2001
Posts: 65
Hi all,
I was hoping someone could help me out. I have two quesitons. First, OpenSSL includes a test client s_client. This client will connect to a SSL server and verify that client auth is happening correctly. This client accepts a client cert file and a client private key file as parameters. I was wondering if it was possible to perform a similar execution in Java? I am aware of concatenating the private key and client cert, but it seems it would be more elegant to be able to specify a client cert and a private key without creating a concatenated file.
The second question is how does one recreate the CA chain if given a root ca, a subordinate ca, and a client cert all in separate PEM files. I would like to create a pkcs12 file that contains a client private key- client certificate pair but instead of just having a single cert, have all three of the aforementioned certs.
Thanks in advance for any insight,

Sun Certified Programmer for the Java 2 Platform 1.4
Michael Arnett
Ranch Hand

Joined: Mar 22, 2001
Posts: 65
Ok, I found the answer to the second portion of my question; so I thought I would post it.
1. Assume that you have a client cert in PEM format called client.pem.crt.
2. Assume that you have a CA root cert also in PEM format called cacert.pem.crt.
3. Assume that you have a client private key in PEM format called client.pem.privkey.
4. First, verify that the client cert was signed by the cacert.pem.crt file. Execute:
openssl verify -CAfile C:\test\cacert.pem.crt client.pem.crt
client.pem.crt: OK
5. If the response is ok, then proceed by combining the client private key and client cert into a single pkcs12 file which includes the CA Chain from the cacert.pem.crt file. Execute:
openssl pkcs12 -export -chain -CAfile C:\test\cacert.pem.crt -in client.pem.crt -inkey client.pem.privkey -out client_caChain.p12
Thats all there is to it. If you want to import this pkcs12 file into a jks file (Java KeyStore), just use the jdk keytool utility or better yet the handy KeytoolGUI utility (
Hope someone else can use this info.
Pankaj Kr
Ranch Hand

Joined: Sep 09, 2003
Posts: 80
Check out ssltool utility of JSTK for a Java equivalent of OpenSSL's s_client.

Pankaj Kumar
Home - WebLog - J2EE Security
I agree. Here's the link:
subject: Openssl equivalent in Java
It's not a secret anymore!