Make Client Certificate Trusted by SSL Server

Q

How to make a self-signed client certificate trusted by the SSL server? I want to help Key Manager to send out the client certificate and accepted by the SSL server.

✍: FYIcenter

A

There are several options to make a self-signed certificate trusted by the SSL Server:

  • Send your self-signed certificate to a trusted root CA, like GeoTrust, and ask them to sign it for you.
  • Add your self-signed certificate to the default trust root CA keystore file in \local\jdk-1.8.0\jre\lib\security\cacerts, before running the server program.
  • Add your self-signed certificate to the JVM property: javax.net.ssl.trustStore, when running the server program.

Below is a demonstration of the last option:

1. Save the client certificate in a keystore file for the server program to use:

\fyicenter>\local\jdk-1.8.0\bin\keytool 
   -importcert -file client.crt -alias client -keystore client_crt.jks

Enter keystore password: fyicenter
Re-enter new password: fyicenter
Owner: CN=Frank Y. Ivy, OU=IT, O=FYIcenter, L=NA, ST=NA, C=FR
Issuer: CN=Frank Y. Ivy, OU=IT, O=FYIcenter, L=NA, ST=NA, C=FR
Serial number: 12414e2f
Valid from: Sun Jun 25 11:29:50 until: Sat Sep 23 11:29:50
Certificate fingerprints:
         MD5:  C3:C7:4D:06:F5:62:91:3D:C3:25:93:2C:01:BE:EF:B5
         SHA1: FF:08:6F:E1:80:C2:72:8D:81:58:21:AF:31:C2:02:AA:CB:02:A8:5E
         SHA256: 1B:ED:2E:B5:88:0C:8E:B6:A3:29:04:9D:15:B6:B2:C6:5A:14:AF:38:0C:...
         Signature algorithm name: SHA1withDSA
         Version: 3
...
Trust this certificate? [no]: yes
Certificate was added to keystore

2. Open command window and run SslServerCmd.java with javax.net.ssl.trustStore system property set to client_crt.jks on your local host:

\fyicenter>\local\jdk-1.8.0\bin\java
   -Djavax.net.ssl.trustStore=client_crt.jks SslServerCmd 8080 Yes

USAGE: java SslServerCmd [port [clientAuth]]
Listening: port=8080, clientAuth=Yes

3. Open another command window and run SslServerCmd.java on your local host:

\fyicenter>\local\jdk-1.8.0\bin\java 
   -Djavax.net.ssl.trustStore=server_crt.jks 
   SslClientCertificateCmd localhost 8080 /index.html

HTTP/1.0 200 OK
Content-Type: text/html
Content-Length: 40

No more SSL errors. The client program successfully communicated with the server with all messages encrypted. And both the server and client are authenticated by their own certificates.

 

Examples for jsse.jar - Java Secure Socket Extension

⇒⇒FAQ for jsse.jar - Java Secure Socket Extension

2018-06-12, 398👍, 0💬