> -----Original Message----- > From: KARR, DAVID > Sent: Friday, April 07, 2017 2:45 PM > To: [email protected] > Subject: 2-way auth with SSL, ClientBuilder, gets "unable to find valid > certification path to requested target", but curl call works > > I'm trying to use CXF ClientBuilder to make a call to a REST service on > an SSL connection using 2-way auth. > > I was having some trouble populating the keystore of the ClientBuilder > because my key file was in the PKCS#1 format. After I converted the > file to PKCS#8 format, I was able to build the client, but now I'm > getting a "unable to find valid certification path to requested target" > error when I try to make a connection. I didn't have any particular > problem populating the truststore of the ClientBuilder, but that error > message may indicate there's something wrong with it. > > I'm able to make a "curl" call to the same URL using the given key and > cert files, and that gets through the SSL handshake fine. > > The details for my issue are at > https://urldefense.proofpoint.com/v2/url?u=http- > 3A__stackoverflow.com_questions_43268952_cxf-2Drest-2Dclient-2Dcall- > 2Dwith-2D2-2Dway-2Dauth-2Dfailing-2Dwith-2Dunable-2Dto-2Dfind-2Dvalid- > 2Dcertific&d=DwIFAg&c=LFYZ-o9_HUMeMTSQicvjIg&r=OsTemSXEn- > xy2uk0vYF_EA&m=DzSVzlGEoaFygAJENSnehgD5ehjAem6IM6Vo8IuH- > YA&s=ThuvL33Ybj8mx6ykQQIWBp7dMM403UEv-JXrtEzHZuA&e= . > > Note that the last "Update" in the posting talks about how I turned on > "-Djavax.net.debug=all", and it shows some suspicious debug output > associated with that. It seems like it thinks the truststore "is" the > cacerts file in my JDK, even though I created the truststore in memory > from a single certificate, like this: > ------------------- > KeyStore trustStore = > KeyStore.getInstance("jks"); > trustStore.load(null, "changeit".toCharArray()); > Certificate cert = buildCertFromFile("<path to > cert > file>"); > trustStore.setCertificateEntry("cert", cert); > > ... > > ClientBuilder builder = ClientBuilder.newBuilder(); > builder.trustStore(trustStore); > ... > client = builder.build(); > ------------------- > > Any idea what might be going wrong here?
If it matters, I've gotten past this. The key was properly integrating the key and cert into a keystore, some of which I just have to understand that it works, without understanding all the details. I did have to load the keystore in the ClientBuilder, but not the truststore.
