 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Java Forum / Security / June 2004SSL (HTTPS) with self-signed certificate: keytool -import? Custom TrustManager? No trusted certificate found
Hi. What is required to make an HTTPS connection to a server with a self-signed certificate? Must the certificate be imported into the client's .keystore or cacerts keystore? Is a custom TrustManager necessary? (Why can I make an HTTPS connection to www.sun.com, without importing a certificate? Is it because the certificate that www.sun.com provides is signed by an authority that Java recognizes?) Here's my code: System.setProperty("javax.net.ssl.keyStore", (tried both home dir .keystore and .../lib/security/cacerts after importing into both) System.setProperty("javax.net.ssl.keyStorePassword","foo"); try { java.net.URL url = new java.net.URL("https://a-web-server"); url.getContent(); } ... It fails with: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found Thanks in advance! Dave Briccetti www.davebsoft.com >Must the certificate be imported into the >client's .keystore or cacerts keystore? http://mindprod.com/jgloss/keytool.html#EXPORTING  SignatureCanadian Mind Products, Roedy Green. Coaching, problem solving, economical contract programming. See http://mindprod.com/jgloss/jgloss.html for The Java Glossary. >>Must the certificate be imported into the >>client's .keystore or cacerts keystore? > > http://mindprod.com/jgloss/keytool.html#EXPORTING Hi Roedy. Thanks for this reply (and another recent one). What you pointed me to talks of private keys, which makes me think I didn't explain clearly. The server end is working. This is the client, which just needs the server's public key (in its certificate), right? >Hi Roedy. Thanks for this reply (and another recent one). What you >pointed me to talks of private keys, which makes me think I didn't >explain clearly. The server end is working. This is the client, which >just needs the server's public key (in its certificate), right? Nope. That would be an impossibly big job. All the browser needs is the signing authority's public key, the root certificate. That is all it needs to validate a public key of its certificate presented by the server when challenged. See http://mindprod.com/jgloss/certificate.html#ROOT SignatureCanadian Mind Products, Roedy Green. Coaching, problem solving, economical contract programming. See http://mindprod.com/jgloss/jgloss.html for The Java Glossary. >>Hi Roedy. Thanks for this reply (and another recent one). What you >>pointed me to talks of private keys, which makes me think I didn't [quoted text clipped - 7 lines] > > See http://mindprod.com/jgloss/certificate.html#ROOT I appreciate your help but your latest reply doesn't seem to address my situation. This document you recommended talks about signing authorities and getting updated root certificates, but this is a self-signed certificate. Are you misunderstanding me, or am I misunderstanding you? :-) Again, I appreciate your trying to help. >I appreciate your help but your latest reply doesn't seem to address my >situation. This document you recommended talks about signing authorities >and getting updated root certificates, but this is a self-signed >certificate. Are you misunderstanding me, or am I misunderstanding you? That's the disadvantage of self-signed certs. You have to get the public key in all the browsers. This is only practical for in house use or if you don't care that many people will not bother to communicate with you. See http://mindprod.com/jgloss/certificate.html#REAL SignatureCanadian Mind Products, Roedy Green. Coaching, problem solving, economical contract programming. See http://mindprod.com/jgloss/jgloss.html for The Java Glossary. >That's the disadvantage of self-signed certs. You have to get the >public key in all the browsers. This is only practical for in house >use or if you don't care that many people will not bother to >communicate with you. > >See http://mindprod.com/jgloss/certificate.html#REAL I you are willing to use Applets or JWS, instead of browser FORMS, I have devised a scheme for secure transmission that does not require any SSL certificate at all. See http://mindprod.com/products.html#WRAPPER. SignatureCanadian Mind Products, Roedy Green. Coaching, problem solving, economical contract programming. See http://mindprod.com/jgloss/jgloss.html for The Java Glossary. >>That's the disadvantage of self-signed certs. You have to get the >>public key in all the browsers. This is only practical for in house [quoted text clipped - 8 lines] > > See http://mindprod.com/products.html#WRAPPER. I never mentioned browser forms, but I did say I wanted this code to work: java.net.URL url = new java.net.URL("https://a-web-server"); url.getContent(); "a-web-server" is an in-house development server which gives a self-signed certificate. I'll save your excellent tips for the future, when I might be doing the things that they relate to. Thanks again, Roedy. Any ideas from other folks? >"a-web-server" is an in-house development server which gives a >self-signed certificate. one more idea for you to reject. http://mindprod.com/projects/rootcertinstaller.html SignatureCanadian Mind Products, Roedy Green. Coaching, problem solving, economical contract programming. See http://mindprod.com/jgloss/jgloss.html for The Java Glossary. Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.