I am trying to connect to a server that requries mutual authentication. My trust store has the server's certificate as well as the root verisign certificate that it was signed with. My keystore has the client certificate and the private key.
Using this keystore and trust store I am able to successfully connect to the external server from one of my servers.
However the remote server responds with "This page requires a client certificate" when I send the request using the same keystore and trust store from a different server. command line: java -Djavax.net.debug=ssl -classpath $JAVA_CLASSPATH -Djavax.net.ssl.keyStore=/test/client.keystore -Djavax.net.ssl.keyStorePassword=aaaaa123 -Djavax.net.ssl.trustStore=/test/cacerts -Djavax.net.ssl.trustStorePassword=aaaaa123 SimpleTest
On turning on ssl debugging I do not see any exceptions, everything seems to be working as expected.
I don't understand this statement. If the server certificates are signed by verisign, then all your client needs to authenticate the server is verisign's root certificate in your truststore. Similarly, if the server wants your client to authenticate, then it will send a list of the DNs of CA it trusts. Your client certificate must be signed by one of those CAs. Finally, you should be able to see this happening in the debug trace, so I don't know what you mean when you say that the trace looks normal. Can you post the trace?
Nice to meet you.
posted 10 years ago
I am not able to post the full response since javaranch does not allow some characters
use default SunJSSE impl class: com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl class com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl is loaded keyStore is : /home/me/blisstest/bliss_client.jks keyStore type is : jks keyStore provider is : init keystore init keymanager of type SunX509 *** found key for : blissclient chain  = [ [ Version: V3 Subject: EMAILADDRESSemail@example.com, CN=BHN AST, T=Programmer, OU="Security Phrase - A2Ac3r+!", OU=Company - Networks, OU="www.verisign.com/repository/CPS Incorp. by Ref.,LIAB.LTD(c)99", OU=Data Center, O=bliss Prepaid Solutions Signature Algorithm: SHA1withRSA, OID = 1.2.840.1135188.8.131.52
Key: Sun RSA public key, 2048 bits modulus: 18905729229464742433949840178165285210788629616064305164260843170201977241822595607598003983710482114887504542420063531704226365322091550579034120400511694538047325464426047959412241672706076731441028369861556999479337863789783838582999151810376013650218058341794419022809268802993425241541430009002110553726612125414429934927217253337526656605550620555845061032537869588361121949241772361851996536275260212221084778605793422355009443918198903890623415507477268041766919150091887619618794603091993360 637671933766441597921249204891707900552776893415739395596650548462810104696585021566385762017523199762687187467514321 public exponent: 65537 Validity: [From: Tue Jan 18 16:00:00 PST 2005, To: Sun Jan 18 15:59:59 PST 2015] Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US SerialNumber: [ 75337d9a b0e1233b ae2d7de4 469162d4]
Certificate Extensions: 8 : ObjectId: 184.108.40.206 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 6F EC AF A0 DD 8A A4 EF F5 2A 10 67 2D 3F 55 82 o........*.g-?U. 0010: BC D7 EF 25 ...% ] ]
: ObjectId: 2.16.840.1.113730.1.1 Criticality=false NetscapeCertType [ SSL CA S/MIME CA ]
Ssllabs tests if a certificate is installed properly on a web server for access from the outside, besides other stuff. That has no bearing on how a JVM might use it when trying to connect from the server to the outside. The Security FAQ (linked from the top of this forum's home page) has an entry that covers this particular issue. In shory: the certificate needs to be installed in a place where the JVM will find it.
I have reinstalled jvm to ensure clean installation. However there is no change.
I have copied the stacktrace for the handshaking error at pastebin webpage.
It does seems our certificate gets added initially as per following: