Hello Jake, > Maybe I'm misunderstanding the exception I'm getting. IE is normally > used to access the 3rd party application, and it does NOT require us to > install or even select a certificate. It DOES prompt us to accept THEIR > certificate. We certainly don't have to generate a certificate and > install it in a keystore for every client.
There are different kinds of certificates that can be presented and verified. So-called "server certificates" are used on the client to verify that the server is what it claims to be. "Client certificates" are used on the server to verify that the client is what it claims to be. And then there are certificates used to verify other certificates. Given all these different certificates, your subject "certificateless SSL" is really an oxymoron :-) If IE does not require you to install a certificate, then most likely your problem is not a missing client certificate. > The exception I'm getting in HttpClient is: > > [INFO] HttpMethodDirector - I/O exception > (javax.net.ssl.SSLHandshakeException) caught when processing request: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to > find valid certification path to requested target A certificate path or chain is a series of certificate to verify other certificates. The server sends a certificate, the client checks it with another certificate. Then the client checks that other certificate with yet another certificate. And so on, until it reaches a "root" certificate which it knows can be trusted. IE ships with a set of root certificates, and each JDK also ships with a set of root certificates, but those sets can be different. I suspect that the certificate store used for your SSL connections is missing a root certificate that IE has. > From what I saw in the mailing list archives, and from a Google search, > that meant that I didn't have a certificate installed in JSSE. Yes. And it's a "root certificate" you are missing, as opposed to a "client certificate". That's where you got Julius on a wrong track. Have you read our SSL guide? http://jakarta.apache.org/commons/httpclient/sslguide.html Towards the end, you'll find a link to the EasySSLProtocolSocketFactory. That is a class which does _not_ build a certificate chain in order to verify the certificate. Rather, it simply trusts the server certificate, which seems to be what you want to do. > Here is what I get when running the ping utility: > [...] I'll leave this part to Julius :-) hope that helps, Roland --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
