• Post Reply Bookmark Topic Watch Topic
  • New Topic

Two-way SSL authentication

 
Matt Dalen
Greenhorn
Posts: 17
1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I'm trying to call a web service run by an outside company. I've done server-side SSL authentication before, but this is the first time I've been asked to do two-say authentication, and I'm having trouble getting it to work. I'm receiving their cert properly, and I think my keystore is properly built to include both the private key and the cert (I used keytool to import them from a PKCS12 file into a JKS file). But I'm still receiving an error when I try to send information - the server folks say they're not receiving a client cert.

Here's my test code that sends the message:



Any suggestions for ways to solve this, or avenues of investigation?
 
Jaikiran Pai
Sheriff
Posts: 10447
227
IntelliJ IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Is there anything in the SSL debug logs (http://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/ReadDebug.html)?
 
Jaikiran Pai
Sheriff
Posts: 10447
227
IntelliJ IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Matt Dalen wrote: But I'm still receiving an error when I try to send information - the server folks say they're not receiving a client cert.


It's hard to say without looking at the actual error (if any), but I just found this long discussion thread about 2 way SSL and thought you might want to just check some of the points mentioned there http://www.coderanch.com/t/496594/Web-Services/java/ssl-working-bad-certificate
 
Richard Tookey
Bartender
Posts: 1166
17
Java Linux Netbeans IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Matt Dalen wrote:and I think my keystore is properly built to include both the private key and the cert


I hope not. If they have given you their private key their site is seriously compromised! You only need their CA signed certificate.

<edit> On re-reading I may have misunderstand where the PKCS12 file comes from. If it is one you generated for the client side authentication then the above does not apply but of course the certificate contained in the PKCS12 file must be signed by a CA that the server recognises.
 
Matt Dalen
Greenhorn
Posts: 17
1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Jaikiran Pai wrote:Is there anything in the SSL debug logs (http://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/ReadDebug.html)?


Thanks! That helped a lot - I *think* it's actually an error in the cert file I was given. If I'm reading the logs right, the issuer on the cert file doesn't match the list of valid cert authorities they accept.

Richard Tookey wrote: <edit> On re-reading I may have misunderstand where the PKCS12 file comes from. If it is one you generated for the client side authentication then the above does not apply but of course the certificate contained in the PKCS12 file must be signed by a CA that the server recognises.


Yes, this is the pkcs12 file we generated for client-side authentication. However, I think you're right that it's an issue with the CA not matching.
 
Deepak Bala
Bartender
Posts: 6663
5
Firefox Browser Linux MyEclipse IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks! That helped a lot - I *think* it's actually an error in the cert file I was given. If I'm reading the logs right, the issuer on the cert file doesn't match the list of valid cert authorities they accept.


From what I understand, one of the issuers on the cert chain is unavailable for verification on your client side trust store. For example - The root CA for github is DigiCert. If DigiCert is unavailable in the trust store, any communication between you and github will fail with a SSL error saying the CA cannot be verified.

To fix the problem (if that is the problem) import the CA's cert into your trust store. Who is the CA ? Is the certificate self signed ?

[EDIT]

My assumption here is that the error you are talking about came from not trusting the cert presented by the server. Please post the SSL debug logs and we can help you further.
 
Matt Dalen
Greenhorn
Posts: 17
1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Deepak Bala wrote:
Thanks! That helped a lot - I *think* it's actually an error in the cert file I was given. If I'm reading the logs right, the issuer on the cert file doesn't match the list of valid cert authorities they accept.


From what I understand, one of the issuers on the cert chain is unavailable for verification on your client side trust store. For example - The root CA for github is DigiCert. If DigiCert is unavailable in the trust store, any communication between you and github will fail with a SSL error saying the CA cannot be verified.

To fix the problem (if that is the problem) import the CA's cert into your trust store. Who is the CA ? Is the certificate self signed ?

[EDIT]

My assumption here is that the error you are talking about came from not trusting the cert presented by the server. Please post the SSL debug logs and we can help you further.


I was able to track down the issue - I was given the wrong cert, which is why the issuer didn't match. Thanks for everyone's help!
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!