TomStrummer wrote:
I've gone over those instructions and a dozen variants. Like I said, I've
imported the cert into a JKS keystore and use that in my SSLSocketFactory.
No dice.
There's no client authentication; it's just trying to authenticate the
server against a trusted CA and I think I'm just having a problem properly
importing a certificate _chain_ (not just a single certificate) into the
keystore.
Well, you do not need an entire chain.
Say, the client is configured to trust a certificate issued by a trusted
CA, called 'trusted CA'. If the client receives the following
certificate chain
'server cert' -> 'department cert' -> 'company cert' -> 'trusted CA'
the entire chain is trusted. Effectively you need only one certificate
in the chain to trust the whole chain.
I don't really want to create a custom trust manager as this more
or less bypasses the SSL security.
I've tried...
- exporting the chain as a PEM file and importing into the keystore (I get
only one the top certificate)
- exporting the chain as a pkcs7 file - keytool says it's not an x.509
certificate
- exporting the individual certs as PEM or pkcs7 - they can be imported into
a keystore but are not chained
- exported via various different options that IE's certificate export wizard
gives. None of them seem to work.
To sum up: you need to import a certificate of the trusted CA into a
keystore file and configure SSL context passing an instance of KeyStore
generated from that file as a _truststore_. Pass null as a keystore
parameter. That is it. Run your application with -Djavax.net.debug=all
system property to see where exactly things get screwy.
Hope this helps
Oleg
olegk wrote:
The Javadocs of the SSLSocketFactory include instructions how to create
a trust store given a trusted public certificate. I guess this should be
sufficient:
http://hc.apache.org/httpcomponents-client/httpclient/apidocs/org/apache/http/conn/ssl/SSLSocketFactory.html
The worst case, one can set up an SSL context with a trust manager
trusting any certificate, including invalid ones.
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org
For additional commands, e-mail: httpclient-users-h...@hc.apache.org
