Java HTTPS client certificate authentication

Question

I m fairly new to HTTPS SSL TLS and I m a bit confused over what exactly the clients are supposed to present when authenticating with certificates   I m writing a Java client that needs to do a simple POST of data to a particular URL  That part works fine  the only problem is it s supposed to be done over HTTPS  The HTTPS part is fairly easy to handle  either with HTTPclient or using Java s built-in HTTPS support   but I m stuck on authenticating with client certificates  I ve noticed there s already a very similar question on here  which I haven t tried out with my code yet  will do so soon enough   My current issue is that - whatever I do - the Java client never sends along the certificate  I can check this with PCAP dumps    I would like to know what exactly the client is supposed to present to the server when authenticating with certificates  specifically for Java - if that matters at all   Is this a JKS file  or PKCS 12  What s supposed to be in them  just the client certificate  or a key  If so  which key  There s quite a bit of confusion about all the different kinds of files  certificate types and such   As I ve said before I m new to HTTPS SSL TLS so I would appreciate some background information as well  doesn t have to be an essay  I ll settle for links to good articles

User · Answer

They JKS file is just a container for certificates and key pairs. In a client-side authentication scenario, the various parts of the keys will be located here:

The client's store will contain the client's private and public key pair. It is called a keystore.
The server's store will contain the client's public key. It is called a truststore.

The separation of truststore and keystore is not mandatory but recommended. They can be the same physical file.

To set the filesystem locations of the two stores, use the following system properties:

-Djavax.net.ssl.keyStore=clientsidestore.jks

and on the server:

-Djavax.net.ssl.trustStore=serversidestore.jks

To export the client's certificate (public key) to a file, so you can copy it to the server, use

keytool -export -alias MYKEY -file publicclientkey.cer -store clientsidestore.jks

To import the client's public key into the server's keystore, use (as the the poster mentioned, this has already been done by the server admins)

keytool -import -file publicclientkey.cer -store serversidestore.jks

User · Answer

Other answers show how to globally configure client certificates  However if you want to programmatically define the client key for one particular connection  rather than globally define it across every application running on your JVM  then you can configure your own SSLContext like so   String keyPassphrase        KeyStore keyStore   KeyStore getInstance  PKCS12    keyStore load new FileInputStream  cert-key-pair pfx    keyPassphrase toCharArray      SSLContext sslContext   SSLContexts custom            loadKeyMaterial keyStore  null           build     HttpClient httpClient   HttpClients custom   setSSLContext sslContext  build    HttpResponse response   httpClient execute new HttpGet  https   example com

User · Answer

Maven pom xml    lt  xml version  1 0  encoding  UTF-8   gt   lt project xmlns  http   maven apache org POM 4 0 0  xmlns xsi  http   www w3 org 2001 XMLSchema-instance  xsi schemaLocation  http   maven apache org POM 4 0 0 http   maven apache org xsd maven-4 0 0 xsd  gt       lt modelVersion gt 4 0 0 lt  modelVersion gt       lt groupId gt some examples lt  groupId gt       lt artifactId gt sslcliauth lt  artifactId gt       lt version gt 1 0-SNAPSHOT lt  version gt       lt packaging gt jar lt  packaging gt       lt name gt sslcliauth lt  name gt       lt dependencies gt           lt dependency gt               lt groupId gt org apache httpcomponents lt  groupId gt               lt artifactId gt httpclient lt  artifactId gt               lt version gt 4 4 lt  version gt           lt  dependency gt       lt  dependencies gt   lt  project gt    Java code   package some examples   import java io FileInputStream  import java io IOException  import java security KeyManagementException  import java security KeyStore  import java security KeyStoreException  import java security NoSuchAlgorithmException  import java security UnrecoverableKeyException  import java security cert CertificateException  import java util logging Level  import java util logging Logger  import javax net ssl SSLContext  import org apache http HttpEntity  import org apache http HttpHost  import org apache http client config RequestConfig  import org apache http client methods CloseableHttpResponse  import org apache http client methods HttpPost  import org apache http conn ssl SSLConnectionSocketFactory  import org apache http ssl SSLContexts  import org apache http impl client CloseableHttpClient  import org apache http impl client HttpClients  import org apache http util EntityUtils  import org apache http entity InputStreamEntity   public class SSLCliAuthExample    private static final Logger LOG   Logger getLogger SSLCliAuthExample class getName      private static final String CA KEYSTORE TYPE   KeyStore getDefaultType       JKS   private static final String CA KEYSTORE PATH      cacert jks   private static final String CA KEYSTORE PASS    changeit    private static final String CLIENT KEYSTORE TYPE    PKCS12   private static final String CLIENT KEYSTORE PATH      client p12   private static final String CLIENT KEYSTORE PASS    changeit    public static void main String   args  throws Exception       requestTimestamp       public final static void requestTimestamp   throws Exception       SSLConnectionSocketFactory csf   new SSLConnectionSocketFactory              createSslCustomContext                new String    TLSv1       Allow TLSv1 protocol only             null              SSLConnectionSocketFactory getDefaultHostnameVerifier         try  CloseableHttpClient httpclient   HttpClients custom   setSSLSocketFactory csf  build              HttpPost req   new HttpPost  https   changeit com changeit            req setConfig configureRequest             HttpEntity ent   new InputStreamEntity new FileInputStream    bytes bin             req setEntity ent           try  CloseableHttpResponse response   httpclient execute req                 HttpEntity entity   response getEntity                LOG log Level INFO       Reponse status   0    response getStatusLine                 EntityUtils consume entity               LOG log Level INFO       Response entity   0    entity toString                        public static RequestConfig configureRequest         HttpHost proxy   new HttpHost  changeit local   8080   http        RequestConfig config   RequestConfig custom                setProxy proxy               build        return config     public static SSLContext createSslCustomContext   throws KeyStoreException  IOException  NoSuchAlgorithmException  CertificateException  KeyManagementException  UnrecoverableKeyException          Trusted CA keystore     KeyStore tks   KeyStore getInstance CA KEYSTORE TYPE       tks load new FileInputStream CA KEYSTORE PATH   CA KEYSTORE PASS toCharArray             Client keystore     KeyStore cks   KeyStore getInstance CLIENT KEYSTORE TYPE       cks load new FileInputStream CLIENT KEYSTORE PATH   CLIENT KEYSTORE PASS toCharArray          SSLContext sslcontext   SSLContexts custom                  loadTrustMaterial tks  new TrustSelfSignedStrategy       use it to customize              loadKeyMaterial cks  CLIENT KEYSTORE PASS toCharArray       load client certificate              build        return sslcontext

User · Answer

There is a better way than having to manually navigate to https   url   knowing what button to click in what browser  knowing where and how to save the  quot certificate quot  file and finally knowing the magic incantation for the keytool to install it locally  Just do this   Save code below to InstallCert java Open command line and execute   javac InstallCert java Run like  java InstallCert  lt host gt   port   passphrase   port and passphrase are optional   Here is the code for InstallCert  note the year in header  will need to modify some parts for  quot later quot  versions of java        Copyright 2006 Sun Microsystems  Inc   All Rights Reserved        Redistribution and use in source and binary forms  with or without    modification  are permitted provided that the following conditions    are met          - Redistributions of source code must retain the above copyright        notice  this list of conditions and the following disclaimer          - Redistributions in binary form must reproduce the above copyright        notice  this list of conditions and the following disclaimer in the        documentation and or other materials provided with the distribution          - Neither the name of Sun Microsystems nor the names of its        contributors may be used to endorse or promote products derived        from this software without specific prior written permission        THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS  quot AS    IS quot  AND ANY EXPRESS OR IMPLIED WARRANTIES  INCLUDING  BUT NOT LIMITED TO     THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR    PURPOSE ARE DISCLAIMED   IN NO EVENT SHALL THE COPYRIGHT OWNER OR    CONTRIBUTORS BE LIABLE FOR ANY DIRECT  INDIRECT  INCIDENTAL  SPECIAL     EXEMPLARY  OR CONSEQUENTIAL DAMAGES  INCLUDING  BUT NOT LIMITED TO     PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES  LOSS OF USE  DATA  OR    PROFITS  OR BUSINESS INTERRUPTION  HOWEVER CAUSED AND ON ANY THEORY OF    LIABILITY  WHETHER IN CONTRACT  STRICT LIABILITY  OR TORT  INCLUDING    NEGLIGENCE OR OTHERWISE  ARISING IN ANY WAY OUT OF THE USE OF THIS    SOFTWARE  EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE       import java io    import java net URL   import java security    import java security cert     import javax net ssl     public class InstallCert        public static void main String   args  throws Exception     String host    int port    char   passphrase    if   args length    1      args length    2           String   c   args 0  split  quot   quot          host   c 0         port    c length    1    443   Integer parseInt c 1          String p    args length    1     quot changeit quot    args 1         passphrase   p toCharArray        else         System out println  quot Usage  java InstallCert  lt host gt   port   passphrase  quot          return         File file   new File  quot jssecacerts quot      if  file isFile      false          char SEP   File separatorChar        File dir   new File System getProperty  quot java home quot     SEP            quot lib quot    SEP    quot security quot          file   new File dir   quot jssecacerts quot          if  file isFile      false        file   new File dir   quot cacerts quot                  System out println  quot Loading KeyStore  quot    file    quot     quot      InputStream in   new FileInputStream file     KeyStore ks   KeyStore getInstance KeyStore getDefaultType       ks load in  passphrase     in close       SSLContext context   SSLContext getInstance  quot TLS quot      TrustManagerFactory tmf         TrustManagerFactory getInstance TrustManagerFactory getDefaultAlgorithm       tmf init ks     X509TrustManager defaultTrustManager    X509TrustManager tmf getTrustManagers   0     SavingTrustManager tm   new SavingTrustManager defaultTrustManager     context init null  new TrustManager    tm   null     SSLSocketFactory factory   context getSocketFactory       System out println  quot Opening connection to  quot    host    quot   quot    port    quot     quot      SSLSocket socket    SSLSocket factory createSocket host  port     socket setSoTimeout 10000     try         System out println  quot Starting SSL handshake    quot          socket startHandshake          socket close          System out println          System out println  quot No errors  certificate is already trusted quot        catch  SSLException e          System out println          e printStackTrace System out          X509Certificate   chain   tm chain    if  chain    null          System out println  quot Could not obtain server certificate chain quot          return         BufferedReader reader       new BufferedReader new InputStreamReader System in       System out println      System out println  quot Server sent  quot    chain length    quot  certificate s   quot      System out println      MessageDigest sha1   MessageDigest getInstance  quot SHA1 quot      MessageDigest md5   MessageDigest getInstance  quot MD5 quot      for  int i   0  i  lt  chain length  i            X509Certificate cert   chain i         System out println           quot   quot     i   1     quot  Subject  quot    cert getSubjectDN           System out println  quot    Issuer   quot    cert getIssuerDN           sha1 update cert getEncoded           System out println  quot    sha1     quot    toHexString sha1 digest            md5 update cert getEncoded           System out println  quot    md5      quot    toHexString md5 digest            System out println           System out println  quot Enter certificate to add to trusted keystore or  q  to quit   1  quot      String line   reader readLine   trim      int k    try         k    line length      0    0   Integer parseInt line  - 1      catch  NumberFormatException e          System out println  quot KeyStore not changed quot          return         X509Certificate cert   chain k     String alias   host    quot - quot     k   1     ks setCertificateEntry alias  cert      OutputStream out   new FileOutputStream  quot jssecacerts quot      ks store out  passphrase     out close       System out println      System out println cert     System out println      System out println       quot Added certificate to keystore  jssecacerts  using alias   quot        alias    quot   quot               private static final char   HEXDIGITS    quot 0123456789abcdef quot  toCharArray         private static String toHexString byte   bytes      StringBuilder sb   new StringBuilder bytes length   3     for  int b   bytes          b  amp   0xff        sb append HEXDIGITS b  gt  gt  4          sb append HEXDIGITS b  amp  15          sb append             return sb toString               private static class SavingTrustManager implements X509TrustManager      private final X509TrustManager tm    private X509Certificate   chain     SavingTrustManager X509TrustManager tm          this tm   tm         public X509Certificate   getAcceptedIssuers           throw new UnsupportedOperationException           public void checkClientTrusted X509Certificate   chain  String authType      throws CertificateException         throw new UnsupportedOperationException           public void checkServerTrusted X509Certificate   chain  String authType      throws CertificateException         this chain   chain        tm checkServerTrusted chain  authType

User · Answer

Given a p12 file with both the certificate and the private key  generated by openssl  for example   the following code will use that for a specific HttpsURLConnection       KeyStore keyStore   KeyStore getInstance  pkcs12        keyStore load new FileInputStream keyStorePath   keystorePassword toCharArray         KeyManagerFactory kmf   KeyManagerFactory getInstance KeyManagerFactory getDefaultAlgorithm         kmf init keyStore  keystorePassword toCharArray         SSLContext ctx   SSLContext getInstance  TLS        ctx init kmf getKeyManagers    null  null       SSLSocketFactory sslSocketFactory   ctx getSocketFactory         HttpsURLConnection connection    HttpsURLConnection  url openConnection        connection setSSLSocketFactory sslSocketFactory     The SSLContext takes some time to initialize  so you might want to cache it

User · Answer

Finally managed to solve all the issues  so I ll answer my own question  These are the settings files I ve used to manage to get my particular problem s  solved   The client s keystore is a PKCS 12 format file containing   The client s public certificate  in this instance signed by a self-signed CA  The client s private key   To generate it I used OpenSSL s pkcs12 command  for example   openssl pkcs12 -export -in client crt -inkey client key -out client p12 -name  Whatever    Tip  make sure you get the latest OpenSSL  not version 0 9 8h because that seems to suffer from a bug which doesn t allow you to properly generate PKCS 12 files   This PKCS 12 file will be used by the Java client to present the client certificate to the server when the server has explicitly requested the client to authenticate  See the Wikipedia article on TLS for an overview of how the protocol for client certificate authentication actually works  also explains why we need the client s private key here    The client s truststore is a straight forward JKS format file containing the root or intermediate CA certificates  These CA certificates will determine which endpoints you will be allowed to communicate with  in this case it will allow your client to connect to whichever server presents a certificate which was signed by one of the truststore s CA s   To generate it you can use the standard Java keytool  for example   keytool -genkey -dname  cn CLIENT  -alias truststorekey -keyalg RSA -keystore   client-truststore jks -keypass whatever -storepass whatever keytool -import -keystore   client-truststore jks -file myca crt -alias myca   Using this truststore  your client will try to do a complete SSL handshake with all servers who present a certificate signed by the CA identified by myca crt   The files above are strictly for the client only  When you want to set-up a server as well  the server needs its own key- and truststore files  A great walk-through for setting up a fully working example for both a Java client and server  using Tomcat  can be found on this website   Issues Remarks Tips   Client certificate authentication can only be enforced by the server   Important   When the server requests a client certificate  as part of the TLS handshake   it will also provide a list of trusted CA s as part of the certificate request  When the client certificate you wish to present for authentication is not signed by one of these CA s  it won t be presented at all  in my opinion  this is weird behaviour  but I m sure there s a reason for it   This was the main cause of my issues  as the other party had not configured their server properly to accept my self-signed client certificate and we assumed that the problem was at my end for not properly providing the client certificate in the request  Get Wireshark  It has great SSL HTTPS packet analysis and will be a tremendous help debugging and finding the problem  It s similar to -Djavax net debug ssl but is more structured and  arguably  easier to interpret if you re uncomfortable with the Java SSL debug output  It s perfectly possible to use the Apache httpclient library  If you want to use httpclient  just replace the destination URL with the HTTPS equivalent and add the following JVM arguments  which are the same for any other client  regardless of the library you want to use to send receive data over HTTP HTTPS    -Djavax net debug ssl -Djavax net ssl keyStoreType pkcs12 -Djavax net ssl keyStore client p12 -Djavax net ssl keyStorePassword whatever -Djavax net ssl trustStoreType jks -Djavax net ssl trustStore client-truststore jks -Djavax net ssl trustStorePassword whatever

User · Answer

I think the fix here was the keystore type  pkcs12 pfx  always have private key and JKS type can exist without private key  Unless you specify in your code or select a certificate thru browser  the server have no way of knowing it is representing a client on the other end

User · Answer

I ve connected to bank with two-way SSL  client and server certificate  with Spring Boot  So describe here all my steps  hope it helps someone  simplest working solution  I ve found     Generate sertificate request    Generate private key   openssl genrsa -des3 -passout pass MY PASSWORD -out user key 2048  Generate certificate request   openssl req -new -key user key -out user csr -passin pass MY PASSWORD    Keep user key  and password  and send certificate request user csr to bank for my sertificate Receive 2 certificate  my client root certificate clientId crt and bank root certificate  bank crt Create Java keystore  enter key password and set keystore password    openssl pkcs12 -export -in clientId crt -inkey user key -out keystore p12 -name clientId -CAfile ca crt -caname root   Don t pay attention on output  unable to write  random state   Java PKCS12 keystore p12 created  Add into keystore bank crt  for simplicity I ve used one keystore    keytool -import -alias banktestca -file banktestca crt -keystore keystore p12 -storepass javaops   Check keystore certificates by   keytool -list -keystore keystore p12  Ready for Java code   I ve used Spring Boot RestTemplate with add org apache httpcomponents httpcore dependency    Bean  sslRestTemplate   public RestTemplate sslRestTemplate   throws Exception     char   storePassword   appProperties getSslStorePassword   toCharArray      URL keyStore   new URL appProperties getSslStore        SSLContext sslContext   new SSLContextBuilder            loadTrustMaterial keyStore  storePassword       use storePassword twice  with key password do not work             loadKeyMaterial keyStore  storePassword  storePassword            build          Solve  Certificate doesn t match any of the subject alternative names    SSLConnectionSocketFactory socketFactory   new SSLConnectionSocketFactory sslContext  NoopHostnameVerifier INSTANCE      CloseableHttpClient client   HttpClients custom   setSSLSocketFactory socketFactory  build      HttpComponentsClientHttpRequestFactory factory   new HttpComponentsClientHttpRequestFactory client     RestTemplate restTemplate   new RestTemplate factory        restTemplate setMessageConverters List of new Jaxb2RootElementHttpMessageConverter        return restTemplate

User · Answer

For those of you who simply want to set up a two-way authentication  server and client certificates   a combination of these two links will get you there     Two-way auth setup   https   linuxconfig org apache-web-server-ssl-authentication   You don t need to use the openssl config file that they mention  just use      openssl genrsa -des3 -out ca key 4096   openssl req -new -x509 -days 365 -key ca key -out ca crt   to generate your own CA certificate  and then generate and sign the server and client keys via       openssl genrsa -des3 -out server key 4096   openssl req -new -key server key -out server csr   openssl x509 -req -days 365 -in server csr -CA ca crt -CAkey ca key -set serial 100 -out server crt   and     openssl genrsa -des3 -out client key 4096   openssl req -new -key client key -out client csr   openssl x509 -req -days 365 -in client csr -CA ca crt -CAkey ca key -set serial 101 -out client crt   For the rest follow the steps in the link  Managing the certificates for Chrome works the same as in the example for firefox that is mentioned    Next  setup the server via    https   www digitalocean com community tutorials how-to-create-a-ssl-certificate-on-apache-for-ubuntu-14-04  Note that you have already created the server  crt and  key so you don t have to do that step anymore

[java] Java HTTPS client certificate authentication

Examples related to java

Examples related to ssl

Examples related to https

Examples related to client-certificates