Why Doesn't Java Send the Client Certificate During Ssl Handshake

why doesn't java send the client certificate during SSL handshake?

It's possible that you may have imported the intermediate CA certificate into the keystore without associating it with the entry where you have your client certificate and its private key. You should be able to see this using keytool -v -list -keystore store.jks. If you only get one certificate per alias entry, they're not together.

You would need to import your certificate and its chain together into the keystore alias that has your private key.

To find out which keystore alias has the private key, use keytool -list -keystore store.jks (I'm assuming JKS store type here). This will tell you something like this:

Your keystore contains 1 entry

myalias, Feb 15, 2012, PrivateKeyEntry, 
Certificate fingerprint (MD5): xxxxxxxx

Here, the alias is myalias. If you use -v in addition to this, you should see Alias Name: myalias.

If you don't have it separately already, export your client certificate from the keystore:

keytool -exportcert -rfc -file clientcert.pem -keystore store.jks -alias myalias

This should give you a PEM file.

Using a text editor (or cat), prepare file (let's call it bundle.pem) with that client certificate and the intermediate CA certificate (and possibly the root CA certificate itself if you want), so that the client-certificate is at the beginning and its issuer cert is just under.

This should look like:

-----BEGIN CERTIFICATE-----
MIICajCCAdOgAwIBAgIBAjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVSzEa
....
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIICkjCCAfugAwIBAgIJAKm5bDEMxZd7MA0GCSqGSIb3DQEBBQUAMDsxCzAJBgNV
....
-----END CERTIFICATE-----

Now, import this bundle back together into the alias where your private key is:

keytool -importcert -keystore store.jks -alias myalias -file bundle.pem

Java SSL handshake failure - no client certificate

I was missing the fact that the client's certificate has to be generated by the server via a Certificate Signing Request (CSR).

The process is :

1. Produce a keypair (via keytool -genkey)
2. Generate a PKCS#10 CSR (via keytool -certreq)
3. Send the CSR to the concerned authority
4. Get back a SSL certificate

Thanks for the comments that helped me to improve my ssl understanding.

Why client cert is not sent during SSL connection? CXF 2.7.9

For anyone who is having same issue while using CXF (2.7.9), this is a doggy issue that CXF introduces.

CXF doesn't pick up keystore configured by VM argument "-Djavax.net.ssl.keyStore", but has its own solution. see http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html#ClientHTTPTransport(includingSSLsupport)-ConfiguringSSLSupport

Java HTTPS client fails SSL handshake while curl succeeds

So I ended up completely reworking how my certificates were being generated and I was able to get things working, with a caveat: it depended how the certificates were generated.

Works with Java client, curl, and Postman:

openssl genrsa -aes256 -out private/${SVRNAME}.key.pem 2048
openssl req -config ${CONFIGDIR}/openssl.cnf \
      -new -x509 -days 7300 -sha256 -extensions v3_ca \
      -key private/${SVRNAME}.key.pem \
      -out certs/${SVRNAME}.cert.pem

Works with curl and Postman but not Java client:

openssl req -newkey rsa:2048 -nodes \
      -keyout private/${CLINAME}.key.pem \
      -x509 -days 365 -out certs/${CLINAME}.cert.pem

Not sure why the "quick" certificate caused so many problems but at least it is working now. Thanks to Patrick and Dave for the help!

---

Related Topics