Reputation: 1
SSL Bad Certificate error
I am having trouble connecting to a secure site using a Java program. I have imported 3 certificates given from the server that I will be connecting to; public, inter and root certificate. I have properly imported the 3 certs to the java cacerts. And also specified in calling the Java class with the following parameters:
java -Djavax.net.debug=ssl
Djavax.net.ssl.keystore=JAVACACERTS -Djavax.net.ssl.keystorePassword=changeit -server -cp $CLASSPTH -Xmx500m SendOrderResponse
However, I'm getting a "bad_certificate" error. I looked at the details of the logs and it seems like the root certificate is not in the certificate chain.
Any idea why it happened? when I have imported the 3 certs in the Java cacerts? I assume that the bad certificate was thrown because of the certificate chain error.
Upvotes: 0
Views: 48247
Answers (3)
Reputation: 29814
I suggest you run:
openssl s_client -connect remoteserver:443
Assuming the remote server requires or requests client certificate authentication, it should send you a list of acceptable CAs.
You should send a certificate ultimately signed by one of these CAs. The ssl specification does not require that you send the CA, however you should send the certificate and the full intermediate chain to that CA. My experience is that two CA certificates may look extremely similar to each other. The move to 2048 bits has not helped in this regard. Double check.
As a side note, your client received the bad certificate alert. The problem lies with the certificates your client is sending, not the validation of the server certificates.
(Edit) Did I mention that the certificates you send must be valid ? in particular,
- non expired end date and sensible start date
- a CN which matches the public DNS server name of the machine your are connecting from: the server may be performing a reverse DNS lookup on the client IP and matching it to the CN of the sent certificate.
Upvotes: 8
Reputation: 813
If you have imported the certificates than try this
Set PATH=<YOUR JRE/BIN>;%PATH%
and than run your java client
Upvotes: -3
Reputation: 122649
It looks like you're not using client-certificates.
In this case, don't set the javax.net.ssl.keystore parameters in your client application. Importing only the root (and perhaps intermediate) certificates in your truststore (cacerts by default) should be sufficient too.
More details about keystore/truststore in this answer: https://stackoverflow.com/a/6341566/372643
Upvotes: 1
Related Questions
- Java and SSL certificates
- Java HTTPS connection with SSL certificate Error
- javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate- Java Error
- certificate_unknown exception in ssl
- Getting Bad Certificate Error while SSl Hand shake Expcetion
- SSL Server in Java - javax.net.ssl.SSLException
- java giving error on https request
- SSL certificate verification fails in Java - but works everywhere else
- Error connecting to a site over SSL
- Java SSL Error: Unable to retrieve certificate chain