How to connect to a secure website using SSL in Java with a pkcs12 file?
I have a pkcs12 file. I need to use this to connect to a webpage using https protocol. I came across some code where in order to connect to a secure web page i need to set the following system properties:
System.setProperty("javax.net.ssl.trustStore", "myTrustStore"); System.setProperty("javax.net.ssl.trustStorePassword", "changeit"); System.setProperty("javax.net.ssl.keyStoreType", "pkcs12"); System.setProperty("javax.net.ssl.keyStore", "new_cert.p12"); System.setProperty("javax.net.ssl.keyStorePassword", "newpass"); openssl.exe pkcs12 -in c:/mykey.p12 -out c:/cert.txt -nokeys -clcerts openssl.exe x509 -in c:/cert.txt -outform DER -out c:/CAcert.der keytool -import -file C:/Cacert.der -keystore mytruststore Exception in thread "main" java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl) Update: After removing certain properties and setting only the «trustStore», «trustStorePassword» and «trustStoreType» property, I got the following exception
java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty If you could post more of the stack trace (information from the stack frames, not just the exception message) I will take a look at it.
Another thing to check is that your trust store location is correctly specified; if javax.net.ssl.trustStore is specified but doesn’t exist, an empty trust store is created on the fly. Your new error message makes it sound like this could be happening.
8 Answers 8
For anyone encountering a similar situation I was able to solve the issue above as follows:
- Regenerate your pkcs12 file as follows:
openssl pkcs12 -in oldpkcs.p12 -out keys -passout pass:tmp openssl pkcs12 -in keys -export -out new.p12 -passin pass:tmp -passout pass:newpasswd System.setProperty("javax.net.ssl.trustStore", "myTrustStore"); System.setProperty("javax.net.ssl.trustStorePassword", "changeit"); System.setProperty("javax.net.ssl.keyStoreType", "pkcs12"); System.setProperty("javax.net.ssl.keyStore", "new.p12"); System.setProperty("javax.net.ssl.keyStorePassword", "newpasswd"); Writing an answer to your own question and accepting it is a bit questionable if you ask me. A bit like upvoting yourself (which of course isn’t possible)
@Fredrik — seems perfectly reasonable to me. I think there’s probably something about in the FAQ though.
I cannot comment because of the 50pts threshhold, but I don’t think that the answer provided in https://stackoverflow.com/a/537344/1341220 is correct. What you are actually describing is how you insert server certificates into the systems default truststore:
$JAVA_HOME/jre/lib/security/cacerts, password: changeit) This works, indeed, but it means that you did not really specify a trust store local to your project, but rather accepted the certificate universially in your system.
You actually never use your own truststore that you defined here:
System.setProperty("javax.net.ssl.trustStore", "myTrustStore"); System.setProperty("javax.net.ssl.trustStorePassword", "changeit"); I got your point. But, I am wondering, Does the statement System.setProperty change the default trust store or not ? Your mentioned in your answer that it is not possible to use the trust store define in the code since he/she already using the default one. Is that really true ? Then what is the point of System.setProperty if the default store is not changeable ?
It appears that you are extracting you certificate from the PKCS #12 key store and creating a new Java key store (with type «JKS»). You don’t strictly have to provide a trust store password (although using one allows you to test the integrity of your root certificates).
So, try your program with only the following SSL properties set. The list shown in your question is over-specified and may be causing problems.
System.setProperty("javax.net.ssl.trustStore", "myTrustStore"); System.setProperty("javax.net.ssl.trustStorePassword", "changeit"); Also, using the PKCS #12 file directly as the trust store should work, as long as the CA certificate is detected as a «trusted» entry. But in that case, you’ll have to specify the javax.net.ssl.trustStoreType property as «PKCS12» too.
Try with these properties only. If you get the same error, I suspect your problem is not the key store. If it still occurs, post more of the stack trace in your question to narrow the problem down.
The new error, «the trustAnchors parameter must be non-empty,» could be due to setting the javax.net.ssl.trustStore property to a file that doesn’t exist; if the file cannot be opened, an empty key store created, which would lead to this error.
JAVA : How to make SSL connection with public certificate and private key
@EJP, I cannot use SSL Sockets, I am only allowed to used HTTPS URL Connection which kinda make things difficult. Thank you for the reference, but I do not see much help there (I went through it briefly thought)
All the KeyStore and truststore steps and settings described there apply to both SSLSockets and HttpsURLConnection.
1 Answer 1
It sounds like you need to use an HTTPS URL connection to connect with a server which requires client authentication. You’ll need to do two things to get there from where you are.
First, you’ll need to create a Java style keystore from your private key and public certificate. Detailed instructions can be found in the answers to this question:
You’ll also need to import the server’s certificate into the keystore.
Second, you’ll need to write your Java code to use your newly created keystore. Do this by creating an SSLContext using your keystore, and setting your HTTPS URL connection to use a socket factory from this context — something along the lines of this:
SSLContext sslContext = SSLConnections.getSSLContext(keyStoreFile, keyStoreFilePassword); httpsURLConnection.setSSLSocketFactory(sslContext.getSocketFactory()); This should be done after the HttpsURLConnection is created, but before it is connected — that is, before you read from or write to it, or call connect() on it.