• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

untrusted server cert chain

 
Greenhorn
Posts: 25
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Task : java client calling a servlet using https protocol

This is the sample java code we are using :

System.setProperty("java.protocol.handler.pkgs","com.sun.net.ssl.internal.www.protocol");
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
sUrl = "https://111.111.111.111:1111/TestServlet";
URL u = new URL(sUrl);
InputStream in = (InputStream)u.openStream();

And it is compiled successfully. While executing we are getting the following error

Exception : javax.net.ssl.SSLException: untrusted server cert chain

We come to know that we need to use 'keytool' and we don't know how to proceed with this ? Can anyone help us in this regard.
And for your information. The above code is a simple java program.
Regards
Nathan
:roll:
[ April 17, 2002: Message edited by: Nathan KV ]
 
Ranch Hand
Posts: 214
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Exception : javax.net.ssl.SSLException: untrusted server cert chain
is pretty clear, it means that your client cannot trust the server, because it cannot find a certificate in it's keystore that has verified the server's certificate.
If the server in question has a certificate signed by Verisign or one of the big CA's then this shouldn't be a problem. Most of those CA certificates are in jdk\jre\lib\security\cacerts which should be used automatically by the sun JSSE implementation.
cacerts is a keystore.
If, in fact, the server is just using a self-signed certificate, or a certificate not (eventually) signed by something in cacerts, then you need to *explicitly* trust that certificate, or it's signing certificate.

I hope that gives you enough idea...
 
Nathan KV
Greenhorn
Posts: 25
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have given the following commands in dos prompt.

keytool -import -alias xyz -file democert.pem -keystore C:\jdk1.3.1\jre
\lib\security\cacerts

-----------
And we got the following response

Certificate was added to keystore

But even now we are getting the same 'Untrusted server cert chain problem'.
How we have to proceed now ?
We are haveing the following files in the Directory of C:\jdk1.3.1\jre\lib\security
cacerts
java.policy
java.security
democert.pem
demokey.pem
ca.pem
Here i have copied the following files from the server side (weblogic).
1.democert.pem
2.demokey.pem
3.ca.pem
How we have to proceed with this ? and what we have to give in keytool command ? Please explain
And for your infomation, we are using only defalut weblogic certificate in the server side.
Regards
Nathan
[ April 17, 2002: Message edited by: Nathan KV ]
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic