Java Certificate / Keystore Exceptions

Question

When attempting to implement a keystore into a Java SOAP client for accessing a WS, I get the exception:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

We identified that the cause of this was the CA (DigiSign) wasn't in the Java trusted CA. Initially I used two certificates that were given to me by one of our senior engineers and combined them via keytool:

keytool.exe -v -alias digicert_3 -import -file DigiCertHighAssuranceCA-3.pem -keystore mykeystore.jks
keytool.exe -v -alias digicert_root -import -file DigiCertHighAssuranceEVRootCA.pem -keystore mykeystore.jks

I then copied the keystore.jks file into the Eclipse project under src/main/resources.

However, now I am getting other exceptions. I have tried multiple ways of loading the certificates into a keystore and I am getting various exceptions.

Here are the different ways I've tried to implement the keystores (one at a time):

//Load keystore from project resource
KeyStore keyStore = KeyStore.getInstance("JKS");

//Keystore created using two individual PEM certs
//Exception: java.io.IOException: Keystore was tampered with, or password was incorrect
keyStore.load(Thread.currentThread().getContextClassLoader().getResourceAsStream("mykeystore_PEM.jks"), "password".toCharArray());

//Keystore created with two certs combined into a single file
//Exception: java.io.IOException: Keystore was tampered with, or password was incorrect
keyStore.load(Thread.currentThread().getContextClassLoader().getResourceAsStream("mykeystore_Com.jks"), "password".toCharArray());

//Keystore created using two individual DER cert calls
//Exception: java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big.
keyStore.load(Thread.currentThread().getContextClassLoader().getResourceAsStream("mykeystore_DER.jks"), "password".toCharArray());

//Keystore created using InstallCert
//Exception: java.security.cert.CertificateParsingException: java.io.IOException: insufficient data
keyStore.load(Thread.currentThread().getContextClassLoader().getResourceAsStream("jssecacerts"), "changeit".toCharArray());

TrustManagerFactory trustFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustFactory.init(keyStore);
TrustManager[] trustManagers = trustFactory.getTrustManagers();
tlsParams.setTrustManagers(trustManagers);
conduit.setTlsClientParameters(tlsParams);
HTTPClientPolicy httpClientPolicy = new HTTPClientPolicy();
httpClientPolicy.setConnectionTimeout(36000);
httpClientPolicy.setAllowChunking(false);
httpClientPolicy.setReceiveTimeout(32000);
conduit.setClient(httpClientPolicy);

1 & 2.) I've verified and double-checked the password, so I don't know why the first two fail with that error.

3.) On the third exception about the length, I have read that it is commonly an issue with data after the END CERTIFICATE line. I've tried it with single blank line after (gives the 'too big' exception) or with the last line being the END CERTIFICATE line (gives some other exception).

4.) Running the InstallCert class from here , I was prompted to take one certificate, and it shows in the keystore.

Any idea why my keystores are not working? Is it something with Java code, or are the certificates/keystore not generating correctly?

Answer 1

I also had some troubles in the past with ssl, java and keystores and used this class in order to import the certificates from some server into a keystore:
http://wiki.openkm.com/images/a/a0/InstallCert.java
or https://code.google.com/p/java-use-examples/source/browse/trunk/src/com/aw/ad/util/InstallCert.java

It's available on some sites in the internet.

Also a good tool for importing certificates is the keystore explorer (for windows):
http://keystore-explorer.sourceforge.net/

Hope this helps!