Portability of client certificates
Hi,
I have created a client certificate (client.cer) for mutual authentication using keytool in linux. This client certificate will be stored at where the client application resides. Is client.cer portable? Can it be exported to a different platform eg. Windows, where the client application uses Stunnel and utilizes client.cer in mutual authentication?
From what I have found out, certificates in Stunnel are stored in PEM format, but the client certificate - client.cer generated by keytool cannot be used by Stunnel. Am I right?
Your input is much appreciated. Thanks.
Kim K.C.
Yes. Its portable.
CER extension reflects a public certificate encoded as binary. openssl package should be able to read that format . Java can read it too...
But if you want mutual authentication, you probably need to be able to sign something with the certificate and its corresponding private key. CER file is only the public certificate. There is no private key stored in that file type.
You need to export the certificate AND the private key into some safe keystore, ex, PKCS12. Openssl can store the private key in an password encrypted file.
/Bo
http://bofriis.dk
Similar Messages
-
Asking specific client certificate (not certificates trusted by authority)
As I understand from what I read so far, during the handshake negotiation for two way ssl, the server sends the client a list of trusted certificate authorities and say to the client: "hey, those are the authorities I trust. send me a certificate that can be verified by one of them".
I also read how you can customize SSLSocketFactory to, on the client side, look for a specific certificate alias (http://www.ibm.com/developerworks/java/library/j-customssl/). I would like to move this idea further and ask for specific certificates depending on what resources the user is trying to access.
For example:
Let's suppose I have two resources on my server called "bobPrivateStuff" and "alicePrivateStuff". I also have a certificate authority who can validate both Bob and Alice certificates on a custom trust keystore. In a regular scenario, the server will ask for a client certificate and will accept either Alice or Bob certificate, as both can be verified by the custom trust.
But what if Alice can't access "bobPrivateStuff"? What if when trying to open a connection, to say http://myserver.com/services/bobPrivateStuff, the server asks specifically for Bob's certificate? Can I setup the handshake in a way it will actually ask for Bob's certificate instead of only just "any certificated trusted by this CA"?
And what piece of information could be used to distinguish one certificate from another? Is the serial number unique between multiple certificates? Is this pushing the envelop too much and trying to use SSL for more than what it is intended for?I agree 100%. It's just that we want to use certificates to validate the client's identity (instead of relying on username/password).Fine, that's exactly what SSL & PKI will do for you.
It might not be elegantBut it is!
See my point?Of course I see your point. SSL already does that. I said that. You agreed. I agree. What it doesn't do is the authorization part. Because it can't. It isn't meant to. You are supposed to do that.
Instead of the server asking for a specific certificate, it justs checks if the certificate sent by the client has access to the resource.Not quite. It should check if the identity represented by the client certificate (Certificate.getSubjectX500Principal(), or SSLSocket.getSession().getPeerPrincipal()) has access to the resource.
This way, we can leave the server untouchedNo you can't. The server has to get hold of the client principal after the handshake and authorize it against the resource.
if Bob wants to access some resources, Bob has to prove he is who he says he is.You're still confused. That's authentication, and SSL already does that for you. SSLSocket.getSession().getPeerPrincipal() returns you the authenticated identity of the peer. The server then has to check that that identity can access that resource. This is 'authorization'. You can't automate it via keystores and truststores. That's not what they do and it's not what they're for.
So I think it is perfectly plausible to do this kind of verification on the server side (i.e. "hijack" a certificate sent to validate the ssl handshake to also verify if the user has the correct privileges).There's no 'hijacking' about it, but you're concentrating on the certificate instead of the identity it represents. A client could have a large number of certificates that all authenticate the same identity. You need to think in terms of authorizing Principals to access resources. -
How to load a client certificate into a servlet to access a Web Service
Hi,
I am having the following problem:
I am trying to use a Web Service client (Axis) within a servlet running under
WebLogic 8.1.
I would like to have mutual SSL-based authentication between the client and the
server hosting the Web Service. Thus, my client has to send a certificate to the
server.
My problem is: how to get the certificate into the request? I know that, for example,
the HttpsURLConnection class of WebLogic has a loadIdentity method. But I can't
use this class.
Is there any other method to make sure that SSL requests use my client certificates?
By the way, I am receiving the following error message from the server:
<Apr 13, 2004 5:35:10 PM EEST> <Debug> <TLS> <000000> <Required peer certificate
s not supplied by peer>
<Apr 13, 2004 5:35:10 PM EEST> <Warning> <Security> <BEA-090508> <Certificate
ch
ain received from 127.0.0.1 - 127.0.0.1 was incomplete.>
Anyone has an idea?
Thanks for any hints,
Zoltan Schreter
NokiaHi all,
I have solved this problem basically by using weblogic's SSLSocketFactory instead
of the default one used by Axis. I created a custom HttpSender (MyHttpSender)
which uses this Factory. I then created a custom Config class which I pass to
the constructor of Service. The Config class looks like this:
public class MyConfig extends SimpleProvider {
* Constructor - deploy client-side basic transports.
public MyConfig() {
deployTransport("java", new SimpleTargetedChain(new JavaSender()));
deployTransport("local", new SimpleTargetedChain(new LocalSender()));
deployTransport("http", new SimpleTargetedChain(new MyHttpSender()));
The relevant code within MyHttpSender looks something like this:
SSLClientInfo sslinfo = new SSLClientInfo();
File ClientKeyFile = new File("C:/certificates/testkey.pem");
File ClientCertsFile = new File("C:/certificates/testcert.pem");
InputStream[] ins = new InputStream[2];
ins[0] = new FileInputStream(ClientCertsFile);
ins[1] = new FileInputStream(ClientKeyFile);
String pwd = "mykeypass";
sslinfo.loadLocalIdentity(ins[0], ins[1], pwd.toCharArray());
javax.net.SocketFactory sockf = weblogic.security.SSL.SSLSocketFactory.getJSSE(sslinfo);
sock = sockf.createSocket(host, port) ;
By the way, this change also solved the other problem I posted about (not being
able to tunnel through the https proxy).
Cheeers,
Zoltan Schreter
Nokia
"Tony" <TonyV> wrote:
Which API's are you currently using for the SSL communication in the
client
side?
Tony
"Zoltan Schreter" <[email protected]> wrote in message
news:[email protected]...
Hi,
I am having the following problem:
I am trying to use a Web Service client (Axis) within a servlet runningunder
WebLogic 8.1.
I would like to have mutual SSL-based authentication between the clientand the
server hosting the Web Service. Thus, my client has to send a certificateto the
server.
My problem is: how to get the certificate into the request? I knowthat,
for example,
the HttpsURLConnection class of WebLogic has a loadIdentity method.But I
can't
use this class.
Is there any other method to make sure that SSL requests use my clientcertificates?
By the way, I am receiving the following error message from the server:
<Apr 13, 2004 5:35:10 PM EEST> <Debug> <TLS> <000000> <Required peercertificate
s not supplied by peer>
<Apr 13, 2004 5:35:10 PM EEST> <Warning> <Security> <BEA-090508><Certificate
ch
ain received from 127.0.0.1 - 127.0.0.1 was incomplete.>
Anyone has an idea?
Thanks for any hints,
Zoltan Schreter
Nokia -
Project Server 2010 Web services access with Client Certificate Authentication
We switched our SharePoint/Project Server 2010 farm to use client certificate authentication with Active Directory Federation Services (AD FS) 2.0, which is working without issue. We have some administrative Project Server Interface (PSI)
web service applications that no longer connect to server with the new authentication configuration. Our custom applications are using the WCF interface to access the public web services.
Please let us know if it is possible to authenticate with AD FS 2.0 and then call
Project Server web services. Any help or coding examples would be greatly appreciated.what is the error occurred when the custom PSI app connects?
can you upload the ULS logs here for research?
What is the user account format you specified in the code for authentication?
For proper authorization, the “user logon account” in PWA for the user needs to be changed from domain\username to the claims token (e.g.
'I:0#.w|mybusinessdomain\ewmccarty').
It requires you to manually call the UpnLogon method of
“Claims to Windows Token Service”. if (Thread.CurrentPrincipal.Identity is ClaimsIdentity)
{ var identity = (ClaimsIdentity)Thread.CurrentPrincipal.Identity; }
if (Thread.CurrentPrincipal.Identity is ClaimsIdentity)
var identity = (ClaimsIdentity)Thread.CurrentPrincipal.Identity;
Than you need to extract UPN-Claim from the identity.
Upload the verbose log if possible.
Did you see this?
http://msdn.microsoft.com/en-us/library/ff181538(v=office.14).aspx
Cheers. Happy troubleshooting !!! Sriram E - MSFT Enterprise Project Management -
Help required with ADFS 3.0 client certificate authentication
Hi,
I am currently working on integrating ADFS 3.o for Single Sign On to some 3rd party services along with PKI solution. The basic requirement is that I should be able to choose client authentication certificate as an authentication method in ADFS and then
federate user credentials to 3rd party trust for single-sign-on.
I had done this successfully with ADFS 2.0 and that setup is working fine. I have the setup as ADFS 3.0 client authentication method enabled. When I open browser to logon, the ADFS 3.0 page displays a message as "Select a certificate that you want to
use for authentication. If you cancel the operation, please close your browser and try again." but the certificates are not displayed for selection.
The certificates are valid and have valid chaining to CA. Could someone help me resolve this issue?
Thanks!
-Chinmaya KarveHi Yan,
Thanks for your response. I have gone through the posts that you have suggested, and my setup looks pretty much as expected.
So, as I mentioned earlier, I have 2 parallel setups with 3rd party service(SalesForce). Once of them is running ADFS 2.0 and another one has ADFS 3.0. I can logon to the third-party services, from both the setups using username/format. I can logon to SF
using client authentication certificate from ADFS 2.0 setup, but from the same client machine, when I try to logon SF via ADFS 3.0, the browser just does not pick up any certificate. The page just shows message of "Select a certificate that you want to use
for authentication. If you cancel the operation, please close your browser and try again.".
I have checked the browser, and it has the right certificates. Also, the same browser/machine is used to logon to SF through ADFS 2.0 via client certificate, which works just fine !
I am really confused now, as to whose issue this really is...
Just to confirm, I am using Certificate Authentication from ADFS 3.0 Authentication Methods for both Intranet and Extranet.
Any suggestion or inputs where I could have gone wrong in the setup?
Thanks! -
IPhone Mail app; IMAP; x509 client certificate?
The title says it all really.
I have an x509 client certificate happily installed in my iPhone's keychain. This certificate works correctly in Safari, allowing access to sites which demand it. When I try to collect mail from an IMAP server which also requires a client certificate, it doesn't work.
As far as I can work out, the Mail app is not sending my client certificate when the server requests it to do so. Is this true? Is there a way to configure the Mail app to respond correctly to the server's client certificate request? Any pointers or information welcome!I think so.
Actually I think I need to get the App Password for Mail on my phone. It generates the app password and I enter it into the password in the gmail setup for mail.
The problem is that when I hit next on that page, I get the message:
"my name" is already added" and I cannot proceed.
Before doing this setup I deleted my gmail account by tapping the email address and hitting delete in the Mail, Contact and Calendars setup..
but, there is something hiding in my iPhone that remembers my old gmail password (I guess) and doesn't let me proceed.
If I enter my gmail iChain password I get the same thing.
If i do this in airplane mode (no connection to google) i also get the same.
I talked to an apple care person who had me reset all my settings... still the same thing.
I am trying to avoid a gull reset of the iPhone, but that may be in the cards.
Going to go to the apple store and ask there, but i am not hopeful.
Barry -
Problem in reading client certificate
Hi,
I am developing an web app. where client will use smart card for authentication.
And server will read the clients certificate. All the application will run in https.
So please guide me to develop such a system. I am using tomcat 6x and have created a server certificate by keytool.
I am not using openssl.
Please help me....
Thanx in advance.hi
when you pass the manual entry posting date will be 31.03.2009 and period will be 13 because when we close the year still open 4 special period to post further entries.
Regards
Tanmoy -
How can I prevent client certificate information from being written to kjs log?
I have an application running on iPlanet Application server 6.0 that makes an SSL connection to an external site using client certificate. Problem : Every time the connection is wrapped in a client certificate, the entire SSL handshake including the key-exchange information is automatically being logged in the kjs log. How do I prevent the kjs from writing this inormation to the log ?
How are you making this SSL connection? Whatever library you are using must be writing to System.out().
You could avoid logging these messages by using file logs rather than console logs. But you could probably disable these messages by working with your SSL libraries as well. -
Client certificate authentication with custom authorization for J2EE roles?
We have a Java application deployed on Sun Java Web Server 7.0u2 where we would like to secure it with client certificates, and a custom mapping of subject DNs onto J2EE roles (e.g., "visitor", "registered-user", "admin"). If we our web.xml includes:
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>certificate</realm-name>
<login-config>that will enforce that only users with valid client certs can access our app, but I don't see any hook for mapping different roles. Is there one? Can anyone point to documentation, or an example?
On the other hand, if we wanted to create a custom realm, the only documentation I have found is the sample JDBCRealm, which includes extending IASPasswordLoginModule. In our case, we wouldn't want to prompt for a password, we would want to examine the client certificate, so we would want to extend some base class higher up the hierarchy. I'm not sure whether I can provide any class that implements javax.security.auth.spi.LoginModule, or whether the WebServer requires it to implement or extend something more specific. It would be ideal if there were an IASCertificateLoginModule that handled the certificate authentication, and allowed me to access the subject DN info from the certificate (e.g., thru a javax.security.auth.Subject) and cache group info to support a specialized IASRealm::getGroupNames(string user) method for authorization. In a case like that, I'm not sure whether the web.xml should be:
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>MyRealm</realm-name>
<login-config>or:
<login-config>
<auth-method>MyRealm</auth-method>
<login-config>Anybody done anything like this before?
--ThanksWe have JDBCRealm.java and JDBCLoginModule.java in <ws-install-dir>/samples/java/webapps/security/jdbcrealm/src/samples/security/jdbcrealm. I think we need to tweak it to suite our needs :
$cat JDBCRealm.java
* JDBCRealm for supporting RDBMS authentication.
* <P>This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* <P>In order to plug in a realm into the server you need to
* implement both a login module (see JDBCLoginModule for an example)
* which performs the authentication and a realm (as shown by this
* class) which is used to manage other realm operations.
* <P>A custom realm should implement the following methods:
* <ul>
* <li>init(props)
* <li>getAuthType()
* <li>getGroupNames(username)
* </ul>
* <P>IASRealm and other classes and fields referenced in the sample
* code should be treated as opaque undocumented interfaces.
final public class JDBCRealm extends IASRealm
protected void init(Properties props)
throws BadRealmException, NoSuchRealmException
public java.util.Enumeration getGroupNames (String username)
throws InvalidOperationException, NoSuchUserException
public void setGroupNames(String username, String[] groups)
}and
$cat JDBCLoginModule.java
* JDBCRealm login module.
* <P>This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* <P>In order to plug in a realm into the server you need to implement
* both a login module (as shown by this class) which performs the
* authentication and a realm (see JDBCRealm for an example) which is used
* to manage other realm operations.
* <P>The PasswordLoginModule class is a JAAS LoginModule and must be
* extended by this class. PasswordLoginModule provides internal
* implementations for all the LoginModule methods (such as login(),
* commit()). This class should not override these methods.
* <P>This class is only required to implement the authenticate() method as
* shown below. The following rules need to be followed in the implementation
* of this method:
* <ul>
* <li>Your code should obtain the user and password to authenticate from
* _username and _password fields, respectively.
* <li>The authenticate method must finish with this call:
* return commitAuthentication(_username, _password, _currentRealm,
* grpList);
* <li>The grpList parameter is a String[] which can optionally be
* populated to contain the list of groups this user belongs to
* </ul>
* <P>The PasswordLoginModule, AuthenticationStatus and other classes and
* fields referenced in the sample code should be treated as opaque
* undocumented interfaces.
* <P>Sample setting in server.xml for JDBCLoginModule
* <pre>
* <auth-realm name="jdbc" classname="samples.security.jdbcrealm.JDBCRealm">
* <property name="dbdrivername" value="com.pointbase.jdbc.jdbcUniversalDriver"/>
* <property name="jaas-context" value="jdbcRealm"/>
* </auth-realm>
* </pre>
public class JDBCLoginModule extends PasswordLoginModule
protected AuthenticationStatus authenticate()
throws LoginException
private String[] authenticate(String username,String passwd)
private Connection getConnection() throws SQLException
}One more article [http://developers.sun.com/appserver/reference/techart/as8_authentication/]
You can try to extend "com/iplanet/ias/security/auth/realm/certificate/CertificateRealm.java"
[http://fisheye5.cenqua.com/browse/glassfish/appserv-core/src/java/com/sun/enterprise/security/auth/realm/certificate/CertificateRealm.java?r=SJSAS_9_0]
$cat CertificateRealm.java
package com.iplanet.ias.security.auth.realm.certificate;
* Realm wrapper for supporting certificate authentication.
* <P>The certificate realm provides the security-service functionality
* needed to process a client-cert authentication. Since the SSL processing,
* and client certificate verification is done by NSS, no authentication
* is actually done by this realm. It only serves the purpose of being
* registered as the certificate handler realm and to service group
* membership requests during web container role checks.
* <P>There is no JAAS LoginModule corresponding to the certificate
* realm. The purpose of a JAAS LoginModule is to implement the actual
* authentication processing, which for the case of this certificate
* realm is already done by the time execution gets to Java.
* <P>The certificate realm needs the following properties in its
* configuration: None.
* <P>The following optional attributes can also be specified:
* <ul>
* <li>assign-groups - A comma-separated list of group names which
* will be assigned to all users who present a cryptographically
* valid certificate. Since groups are otherwise not supported
* by the cert realm, this allows grouping cert users
* for convenience.
* </ul>
public class CertificateRealm extends IASRealm
protected void init(Properties props)
* Returns the name of all the groups that this user belongs to.
* @param username Name of the user in this realm whose group listing
* is needed.
* @return Enumeration of group names (strings).
* @exception InvalidOperationException thrown if the realm does not
* support this operation - e.g. Certificate realm does not support
* this operation.
public Enumeration getGroupNames(String username)
throws NoSuchUserException, InvalidOperationException
* Complete authentication of certificate user.
* <P>As noted, the certificate realm does not do the actual
* authentication (signature and cert chain validation) for
* the user certificate, this is done earlier in NSS. This default
* implementation does nothing. The call has been preserved from S1AS
* as a placeholder for potential subclasses which may take some
* action.
* @param certs The array of certificates provided in the request.
public void authenticate(X509Certificate certs[])
throws LoginException
// Set up SecurityContext, but that is not applicable to S1WS..
}Edited by: mv on Apr 24, 2009 7:04 AM -
Client certificate authentication on ASA 5520
Hi,
We have configured certificate authentication for remote access IPSEC vpn and it is working fine. This is using the same internal Certificate Authority server for both the identity certificate of the ASA and the client certificates issued to remote clients.
We now wish to use a different CA which is a subordinate of the existing CA for client certificates - we want to keep the existing identity certificate using the root CA.
How do we ensure that the ASA will authenticate clients using certificates published by the old root CA and the new subordinate CA? What is the process to follow on the GUI to do this? Do I just add another CA certificate under the 'certificate management>CA certificates' window with a new ADSM trustpoint, or is there more steps?Hi Paul,
I generate a PCKS#12 file that enclosed the client certificate + the associated private key + the CA certchain.
I deployed it on client host machine by juste sending it by e-mail/ USB key/ Web plushing.
Depending of your client OS version, the client certificate should be present in, the "login" store of keychain repository on a MAC OS-X client and in the "personal" store of the certificate repository on a Windows client.
And that it.
Vincent -
Client Certificate Authentication
Hi guys
I am not sure if this is the right place to ask but here I go. We are trying to find the best option to push client certificates to our user's Mobile Devices so they just log into a website, type their credentials and the user certificated get pushed.
We have implemented Workplace Join, this allows us to use the certificate pushed by ADFS to log into a webapp with the only once, then for some reason (still under investigation) doesn't work anymore.
I have also read about Client Certificate Mapping Authentication with IIS and AD but obviously the Client Certificate has to be in the mobile device in order to accomplish the authentication.
Windows Intune ultimately will do the trick but the idea of this research is to find out what's available in Microsoft platform.
any help would be truly appreciated
JesusIf IIS is used for certificate distribution (and access to CRLs), I think this could be done with Active Directory Certificate Services.
Users could go to the website of the issuing certificate authorities and make a request.
I've only done this for real with Group Policy triggering the request behind the scenes for *domain members* and approval based on membership in a particular group.
So I'm not 100% sure how you would configure automatic issuance of the cert based on entry of a correct password. Usually, the "certificate managers" have to approve per company policy.
I'll look further though (interested in this myself).
Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. -
Environment:
Windows 2003 Server
IIS 6.0
Java Applets
JVM 1.6
I currently have IIS set to "accept client certificates" and have a valid list in my Certificate Trust List of certificates I want to accept. I also have Windows Authentication set in the event the user does not have a valid client certificate type then they will be prompted for their Windows Login. My problem is that even though they authenticate via Windows they are still being prompted for certificates by the JVM and of course there are none in IEs store.
Is there a way to stop this or is this just a way of life.I think it is related to the certificate you are using: what are the available CRL's (Certificate Revocation List) in that certificate? You can see that by opening the properties of the cert. The client might want to check the CRL of your CA and has no permission
to do it.
You might want to check if the CRL distribution point as configured in the certification is accessible by the client or generate a different certificate with a different distribution point.
Technical Specialist Microsoft OCS & UC Voice Specialisation - http://www.uwictpartner.be -
Client Certificate Mapping authentication using Active Directory across trusted forests
Hi,
We currently have a setup where the on-premises environment and the cloud environment are based on two separate forests linked by a 1-way trust, i.e., the exist in the on-premises AD and the 1-way trust allows them to use their
credentials to login to a cloud domain joined server. This works fine with the Windows authentication.
We are now looking at implementing a 2-Factor authentication using Certificate. The PKI infrastructure exists in the On-Premises Forest. The users are able to successfully login to on-premise servers configured with "AD CLient Certificate
Mapping".
However, we are unable to achieve the same functionality on the cloud domain joined servers. I would like to know
1. Is this possible?
2. If yes, what do we need to do to make this work.
Just to clarify, we are able to authenticate using certificates by enabling anonymous authentication. However, we are unable to do the same after turning on "Client Certificate Mapping authentication using Active Directory"1. Yes!
2. Before answering this I need to know if your are trying to perform a smart card logon on a desktop/console or if you just want to use certificate based authentication in an application like using a web application with client certificate requirements
and mapping?
/Hasain
We will eventually need it for smartcard logon on to desktop/console. However, at present, I am trying to use this for certificate based authentication on a web application.
To simulate the scenario, I setup up two separate forests and established a trust between them.
I then setup a Windows PKI in one of the forests and issued a client certificate to a user.
I then setup a web server in both the forests and configured them for anonymous authentication with Client SSL requirement configured.
I setup a test ASP page to capture the Login Info on both the servers.
With the client and the server in the same forest, I got the following results
Login Info
LOGON_USER: CORP\ASmith
AUTH_USER: CORP\ASmith
AUTH_TYPE: SSL/PCT
With the client in the domain with the PKI and the server in the other Forest, I got the following response
Login Info
LOGON_USER:
AUTH_USER:
AUTH_TYPE:
I tried the configuration with the Anonymous Authentication turned off and the AD CLient Certificate mapping turned on.
With the client and the server in the same forest, I am able to login to the default page. However, with the server in a trusted forest, I get the following error.
401 - Unauthorized: Access is denied due to invalid credentials.
You do not have permission to view this directory or page using the credentials that you supplied -
Client certificate is not send
Hi
I have not much experience in Java, so thank you in advance for your help.
I have some piece of client code which setup the secure connection. Everything works fine until I use server authentication (in my certificate store I have trusted CA certificate and client certificate signed by this trusted CA). In mutual authentication handshake fails, because the cliend doesn't send any certificate (i checked it using network sniffer). I was looking for the way of enumerate the local certificates which are going to be send from client, but I can't understand how should I do it. There is my code below :
System.setProperty("-Djavax.net.ssl.trustStore","G:/Program Files/Java/jre1.5.0_07/lib/security/cacerts".replace('/', File.separatorChar));
System.setProperty("-Djavax.net.ssl.trustStorePassword","changeit");
System.setProperty("-Djavax.net.debug","all");
int port = 16993;
String hostname = "10.10.1.11";
SSLSocketFactory factory = null;
SSLSocket socket = null;
SSLSession session = null;
String[] proto = new String[1];
String[] ciphe = new String[1];
String[] all_ciphe_supp = new String[33];
System.out.println("Cipher Suite and Protocols test");
try {
factory = HttpsURLConnection.getDefaultSSLSocketFactory();
} catch (Exception e) {
System.out.println( e.toString());
if (factory != null) {
// Connect to the server
try {
socket = (SSLSocket)factory.createSocket(hostname,port);
all_ciphe_supp = socket.getSupportedCipherSuites();
System.out.println("All ciphersuites and protocol supported");
socket.startHandshake();
session = socket.getSession();
System.out.println("Connection established using " + session.getProtocol() + " and " + session.getCipherSuite());
socket.close();
} catch (SSLPeerUnverifiedException e) {
System.out.println("Connection not established : " + e.toString());
} catch (IOException e) {
System.out.println("Connection not established : " + e.toString());
}Thanks a lot, it is a little bit better, I can see debug messages at the output :)
However the main problem still exists. In debug window I can see that client and CA certificates are added as trusted certificates, but no certificate is sent to server. Is it something wrong with certificate?
I have the certificate in following formats: .der .p12 .pem
I could only import .der using keytool (trying to import .p12 or .pem got Input not an X.509 certificate error), but using web browser I can use this certificate and mutual authentication goes ok. -
Designating the specific client certificate to use from within an applet
With JRE 1.4.x, my applet will use a specific client certificate for connection to an https url which requires a client certificate - I did that by defining runtime parameters for the jre (-Djavax.net.ssl.keyStore=...) but with JRE 1.5.x, the same runtime options doesn't seem to have any effect (even if I configure the plugin not to use the browser's store of certificates).
I like the new "use browser certifcate store" feature of the JRE 1.5.x, but can I have a way to designate, programmatically in the code of my applet, which specific certificate to use?With JRE 1.4.x, my applet will use a specific client certificate for connection to an https url which requires a client certificate - I did that by defining runtime parameters for the jre (-Djavax.net.ssl.keyStore=...) but with JRE 1.5.x, the same runtime options doesn't seem to have any effect (even if I configure the plugin not to use the browser's store of certificates).
I like the new "use browser certifcate store" feature of the JRE 1.5.x, but can I have a way to designate, programmatically in the code of my applet, which specific certificate to use?
Maybe you are looking for
-
ITunes sharing between accounts on same Mac
Hello, Is there a way to share iTunes content (music, movies, etc.) between different user accounts on the same Mac? We have a "family" iMac with different login accounts (me, my spouse and our kids). When my spouse or kids are logged on as themselve
-
Sync iPhone 4S without outlook 2010
How can I sync my iPhone 4S with Outlook 2010 calendar?
-
Sharing user folders between two OSX partitions
I have two partitions on my drive running OSX, one running 10.9.4 (we'll call this Partition 1), the other running another recent version of OSX that I apparently can't name here because someone out there doesn't know how to read or is being a troll
-
Says sent box full all the time - but it is empty - cannot refer to any sent emails
when I write an email and send- it says sent box is full - I have compacted numerous times but no joy. any suggestions welcome I have 299 messages in sent now as have deleted alot bnad it say 4GB? inbox over 6000 and only 1.25 GB.
-
HT1933 Anyone having issues when Reporting a purchase ?
Is anyone else having issues when clicking in Report a problem link it it default back to the main screen? I have 4 unauthorised purchases on my account totalling over $350 and i need this rectified ASAP!