• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Openssl equivalent in Java

 
Ranch Hand
Posts: 65
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi all,
I was hoping someone could help me out. I have two quesitons. First, OpenSSL includes a test client s_client. This client will connect to a SSL server and verify that client auth is happening correctly. This client accepts a client cert file and a client private key file as parameters. I was wondering if it was possible to perform a similar execution in Java? I am aware of concatenating the private key and client cert, but it seems it would be more elegant to be able to specify a client cert and a private key without creating a concatenated file.
The second question is how does one recreate the CA chain if given a root ca, a subordinate ca, and a client cert all in separate PEM files. I would like to create a pkcs12 file that contains a client private key- client certificate pair but instead of just having a single cert, have all three of the aforementioned certs.
Thanks in advance for any insight,
-MLA
 
Michael Arnett
Ranch Hand
Posts: 65
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Ok, I found the answer to the second portion of my question; so I thought I would post it.
1. Assume that you have a client cert in PEM format called client.pem.crt.
2. Assume that you have a CA root cert also in PEM format called cacert.pem.crt.
3. Assume that you have a client private key in PEM format called client.pem.privkey.
4. First, verify that the client cert was signed by the cacert.pem.crt file. Execute:
openssl verify -CAfile C:\test\cacert.pem.crt client.pem.crt
Response:
client.pem.crt: OK
5. If the response is ok, then proceed by combining the client private key and client cert into a single pkcs12 file which includes the CA Chain from the cacert.pem.crt file. Execute:
openssl pkcs12 -export -chain -CAfile C:\test\cacert.pem.crt -in client.pem.crt -inkey client.pem.privkey -out client_caChain.p12
Thats all there is to it. If you want to import this pkcs12 file into a jks file (Java KeyStore), just use the jdk keytool utility or better yet the handy KeytoolGUI utility (http://www.waynegrant.info/keytool.html).
Hope someone else can use this info.
-MLA
 
Author
Posts: 80
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Check out ssltool utility of JSTK for a Java equivalent of OpenSSL's s_client.
 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic