JDK can not find valid certification path

0
votes

I have problem with certificate. This is my stack trace:

trustStore is: /usr/user/programs/java/jdk1.7.0_10/jre/lib/security/jssecacerts
trustStore type is : jks
trustStore provider is : 
init truststore
adding as trusted cert:
Subject: EMAILADDRESS=******, CN=865409164, OU=http://www.sistem.net, O=DOO, L=Citluk,   ST=Text, C=BA
Issuer:  EMAILADDRESS=***********, CN=ecommtest.rbbh.ba, OU=ITRIOSS.CARD, O=BANK, L=CITY, ST=******, C=BA

Algorithm: RSA; Serial number: 0xf6e5b0e213f9b11b Valid from Tue Jul 30 14:43:23 CEST 2013 until Wed Jul 30 14:43:23 CEST 2014

and at the end I got this:

***
%% Invalidated:  [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA]
main, SEND TLSv1 ALERT:  fatal, description = certificate_unknown
main, WRITE: TLSv1 Alert, length = 2
[Raw write]: length = 7
0000: 15 03 01 00 02 02 2E                               .......
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException:      sun.security.validator.ValidatorException: PKIX path building failed:   sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid   certification path to requested target
main, IOException in getSession():  javax.net.ssl.SSLHandshakeException:   sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid   certification path to requested target
main, called close()
main, called closeInternal(true)

I've got certifacte as PKCS12, then I importkeystore by keytool in jssecacerts and copy it in JDK/jre/lib/security

I use apache HttpClient to execute POST request.

Thanks for any help

Zlaja

2
javassl
Can you clarify what you are trying to do? Are you attempting to use client certificate authentication? Also, the PKCS12 does not need to be imported into the jre/lib/security/cacerts. The certificate of the issuer needs to be imported there.Dave G
I want to connect to a other's company server. I have got pkcs12 certificate from that company. I use apache HttpClient 4.1 for post request. I have tried lot of ideas I've found on Internet but without success.zlaja
You will need to determine the issuer certificate, then I would recommend looking into loading the PKCS#12 and the Issuer certificate into a single JKS keystore. Then configure the socket factory to utilize that store as a keystore & truststore.Dave G
I have found this mkyong.com/webservices/jax-ws/…. Application gets certificate from server and create keystore. Now, I have no previous error, jdk can not find certificate, but know one, main, received EOFException: error main, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake. I don't know is this step move forward or not.zlaja

2 Answers

0
votes

We have found solution. These are steps:

  1. Run InstallCert from https://code.google.com/p/java-use-examples/source/browse/trunk/src/com/aw/ad/util/InstallCert.java. It will create jssecacerts.

  2. Backup your cacerts from jre/lib/security

  3. Replace cacerts with jssecacert

  4. Change your code like this:

    val clientStore = KeyStore.getInstance("PKCS12")

clientStore.load(new FileInputStream("/home/zlaja/Downloads/imakstore_80009164.p12"), "12348765".toCharArray())

val kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm())
kmf.init(clientStore, "12348765".toCharArray())
val kms = kmf.getKeyManagers()

val trustStore = KeyStore.getInstance("JKS")

trustStore.load(new FileInputStream("/usr/user/programs/java/jdk1.7.0_10/jre/lib/security/cacerts"), "changeit".toCharArray())

val tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
tmf.init(trustStore)
val tms = tmf.getTrustManagers()

val sslContext = SSLContext.getInstance("TLS")
sslContext.init(kms, tms, new SecureRandom())

val schemeRegistry = new SchemeRegistry();
schemeRegistry.register(new Scheme("https", new SSLSocketFactory(init), 443))

val client = new DefaultHttpClient(new ThreadSafeClientConnManager(httpParameters,  schemeRegistry), httpParameters);
-1
votes

I had this problem as well, but I finally have a solution that works for my JAX-WS client with SSL.

The problem in my case was JAX not able to look in another keystore but cacerts, and my certificate has 2 chained which was impossible to import via command line to cacerts.