This week's book giveaway is in the OCAJP 8 forum. We're giving away four copies of OCA Java SE 8 Programmer I Study Guide and have Edward Finegan & Robert Liguori on-line! See this thread for details.
I am trying to connect to a server that requries mutual authentication. My trust store has the server's certificate as well as the root verisign certificate that it was signed with. My keystore has the client certificate and the private key.
Using this keystore and trust store I am able to successfully connect to the external server from one of my servers.
However the remote server responds with "This page requires a client certificate" when I send the request using the same keystore and trust store from a different server. command line: java -Djavax.net.debug=ssl -classpath $JAVA_CLASSPATH -Djavax.net.ssl.keyStore=/test/client.keystore -Djavax.net.ssl.keyStorePassword=aaaaa123 -Djavax.net.ssl.trustStore=/test/cacerts -Djavax.net.ssl.trustStorePassword=aaaaa123 SimpleTest
On turning on ssl debugging I do not see any exceptions, everything seems to be working as expected.
I don't understand this statement. If the server certificates are signed by verisign, then all your client needs to authenticate the server is verisign's root certificate in your truststore. Similarly, if the server wants your client to authenticate, then it will send a list of the DNs of CA it trusts. Your client certificate must be signed by one of those CAs. Finally, you should be able to see this happening in the debug trace, so I don't know what you mean when you say that the trace looks normal. Can you post the trace?
Nice to meet you.
Joined: Oct 08, 2002
I am not able to post the full response since javaranch does not allow some characters
use default SunJSSE impl class: com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl class com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl is loaded keyStore is : /home/me/blisstest/bliss_client.jks keyStore type is : jks keyStore provider is : init keystore init keymanager of type SunX509 *** found key for : blissclient chain  = [ [ Version: V3 Subject: EMAILADDRESSfirstname.lastname@example.org, CN=BHN AST, T=Programmer, OU="Security Phrase - A2Ac3r+!", OU=Company - Networks, OU="www.verisign.com/repository/CPS Incorp. by Ref.,LIAB.LTD(c)99", OU=Data Center, O=bliss Prepaid Solutions Signature Algorithm: SHA1withRSA, OID = 1.2.840.1135220.127.116.11
Key: Sun RSA public key, 2048 bits modulus: 18905729229464742433949840178165285210788629616064305164260843170201977241822595607598003983710482114887504542420063531704226365322091550579034120400511694538047325464426047959412241672706076731441028369861556999479337863789783838582999151810376013650218058341794419022809268802993425241541430009002110553726612125414429934927217253337526656605550620555845061032537869588361121949241772361851996536275260212221084778605793422355009443918198903890623415507477268041766919150091887619618794603091993360 637671933766441597921249204891707900552776893415739395596650548462810104696585021566385762017523199762687187467514321 public exponent: 65537 Validity: [From: Tue Jan 18 16:00:00 PST 2005, To: Sun Jan 18 15:59:59 PST 2015] Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US SerialNumber: [ 75337d9a b0e1233b ae2d7de4 469162d4]
Certificate Extensions: 8 : ObjectId: 18.104.22.168 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 6F EC AF A0 DD 8A A4 EF F5 2A 10 67 2D 3F 55 82 o........*.g-?U. 0010: BC D7 EF 25 ...% ] ]
: ObjectId: 2.16.840.1.113730.1.1 Criticality=false NetscapeCertType [ SSL CA S/MIME CA ]