Make Client Certificate Trusted by SSL Server

Q

How to make a self-signed client certificate trusted by the SSL server? I want to help Key Manager to send out the client certificate and accepted by the SSL server.

✍: FYIcenter

A

There are several options to make a self-signed certificate trusted by the SSL Server:

  • Send your self-signed certificate to a trusted root CA, like GeoTrust, and ask them to sign it for you.
  • Add your self-signed certificate to the default trust root CA keystore file in \local\jdk-1.8.0\jre\lib\security\cacerts, before running the server program.
  • Add your self-signed certificate to the JVM property: javax.net.ssl.trustStore, when running the server program.

Below is a demonstration of the last option:

1. Save the client certificate in a keystore file for the server program to use:

\fyicenter>\local\jdk-1.8.0\bin\keytool 
   -importcert -file client.crt -alias client -keystore client_crt.jks

Enter keystore password: fyicenter
Re-enter new password: fyicenter
Owner: CN=Frank Y. Ivy, OU=IT, O=FYIcenter, L=NA, ST=NA, C=FR
Issuer: CN=Frank Y. Ivy, OU=IT, O=FYIcenter, L=NA, ST=NA, C=FR
Serial number: 12414e2f
Valid from: Sun Jun 25 11:29:50 until: Sat Sep 23 11:29:50
Certificate fingerprints:
         MD5:  C3:C7:4D:06:F5:62:91:3D:C3:25:93:2C:01:BE:EF:B5
         SHA1: FF:08:6F:E1:80:C2:72:8D:81:58:21:AF:31:C2:02:AA:CB:02:A8:5E
         SHA256: 1B:ED:2E:B5:88:0C:8E:B6:A3:29:04:9D:15:B6:B2:C6:5A:14:AF:38:0C:...
         Signature algorithm name: SHA1withDSA
         Version: 3
...
Trust this certificate? [no]: yes
Certificate was added to keystore

2. Open command window and run SslServerCmd.java with javax.net.ssl.trustStore system property set to client_crt.jks on your local host:

\fyicenter>\local\jdk-1.8.0\bin\java
   -Djavax.net.ssl.trustStore=client_crt.jks SslServerCmd 8080 Yes

USAGE: java SslServerCmd [port [clientAuth]]
Listening: port=8080, clientAuth=Yes

3. Open another command window and run SslServerCmd.java on your local host:

\fyicenter>\local\jdk-1.8.0\bin\java 
   -Djavax.net.ssl.trustStore=server_crt.jks 
   SslClientCertificateCmd localhost 8080 /index.html

HTTP/1.0 200 OK
Content-Type: text/html
Content-Length: 40

No more SSL errors. The client program successfully communicated with the server with all messages encrypted. And both the server and client are authenticated by their own certificates.

 

SSL Handshake Messages with Client Authentication

Key Manager Not Sending Client Certificate

Examples for jsse.jar - Java Secure Socket Extension

⇑⇑ FAQ for jsse.jar - Java Secure Socket Extension

2018-06-12, 1147🔥, 0💬