CODEWITHSUNDEEP
javasslopensslkeytooltruststore
Joshua
Joshua

Reputation: 4320

Java truststore root certificate not trusted of [myserver.mydomain.com]

I am running into some difficulty trying to connect to a server using a custom java truststore, where I get the following error when I try to connect. I have very little experience using java to connect via SSL so I'm concerned there's just something I'm unaware of causing an issue:

javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: root certificate not trusted of [myserver.mydomain.com]
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
    at org.jiv

The connection requires both a keystore and a truststore which I have created in the following manner:

Keystore:

Truststore:

From there I upload the mykey.cer to the server's trusted certificate store. One thing I noticed is that when I inspected the connection using my jar file (java -Djavax.net.debug=ssl,handshake -jar myjar.jar myserver.mydomain.com User truststore.jks <PW> mykeystore.jks <PW>) is that the server is actually signed by a Digicert Intermediate cert. So I also added both the intermediate and root certs from Digicert into the truststore (not the keystore) but that does not work.

However, if I cat the intermediate and root certs and use them in an openssl connection from the client to the server it successfully connects, which leads me to believe it's something to do with the java truststore.

Edit: I'm calling the connection in java with the following:

TLSConfiguration config = new TLSConfiguration();
    config.setHosts(hostnames);
    config.setUserName(username);
    config.setGroup(Group.EPS.value());
    config.setKeystorePath(keystoreFilename);
    config.setKeystorePassphrase(keystorePassword);
    config.setTruststorePath(truststoreFilename);
    config.setTruststorePassphrase(truststorePassword);

Example: java -Djavax.net.debug=ssl,handshake -jar myjar.jar myserver.mydomain.com User truststore.jks <PW> mykeystore.jks <PW>

Upvotes: 0

Views: 3375

Answers (1)

jbppsu
jbppsu

Reputation: 158

It's not really clear from your question which trust store you are using. Did you load your self signed certificate into the default trust store with something like this?

keytool -import -trustcacerts -keystore cacerts -storepass changeit -noprompt -alias yourAliasName -file path\to\certificate.cer

If not, you need to tell Java which trust store to use. If you don't it will use the default (which doesn't have your self signed cert in it). You need to do this:

-Djavax.net.ssl.trustStore=<path to your trusstore>.jks -Djavax.net.ssl.trustStorePassword=<your password>

Note: if you set a trust store via -D parameters your code will trust ONLY CAs in that trust store.

To specify which keystore to use you can add these java opts:

-Djavax.net.ssl.keyStore=<path to your keystore>.jks -Djavax.net.ssl.keyStorePassword=<your keystore password>

Upvotes: 0

Related Questions