Opening a SSL socket using a pem certificate

Question

I'm trying to connect to a ssl server using Java. I've already managed to do that in Python, however I've got a PEM file which isn't supported by Java. Converting it to PKCS12 didn't work

Error when trying to connect was:

sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

My question is: Can you give me the Java equivalent? (Using another library is also ok)

import ssl
import socket

mysock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
mysslsock = ssl.wrap_socket(mysock, keyfile='mykey.pem', certfile='mycert.pem')
mysslsock.connect(("SOMEHOST", XXXXX))

Please note that the server requires client authentication.

Edit

That's what I did in Java:

I used openssl to convert my certificate into PKCS12 format:

openssl pkcs12 -export -out mystore.p12 -inkey mykey.pem -in mycert.pem

Then I've used the keytool that comes with the JDK to convert it into JKS:

keytool -importkeystore -destkeystore mystore.jks -srcstoretype PKCS12 -srckeystore mystore.p12

And that's my Java code:

System.setProperty("javax.net.ssl.keyStore", "mystore.jks");
System.setProperty("javax.net.ssl.keyStorePassword", "123456");
System.setProperty("javax.net.ssl.keyStoreType", "JKS");

SSLSocketFactory socketFactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
SSLSocket socket = (SSLSocket) socketFactory.createSocket(HOST, PORT);
socket.startHandshake(); // That's the line I get the exception
socket.close();

I'm sure I'm making some really stupid mistake as I don't have any experience with SSL.

Edit: Probably I've somehow the wrong certificates so that's what they look like:

<mykey.pem>
-----BEGIN RSA PRIVATE KEY-----
ljnoabndibnwzb12387uGJBEIUQWBIDAB
....... (Some more lines)
-----END RSA PRIVATE KEY-----

<mycert.pem>
Bag Attributes
    localKeyId: XX XX XX XX
subject:...
issuer:...
-----BEGIN CERTIFICATE-----
LAinaw8921hnA.......
.....
-----END CERTIFICATE-----

Answer 1

don't you need to load the Key into the Java Keystore?

that is a seperate program.

http://docs.oracle.com/javase/7/docs/technotes/tools/solaris/keytool.html

-importcert {-alias alias} {-file cert_file} [-keypass keypass] {-noprompt} {-trustcacerts} {-storetype storetype} {-keystore keystore} [-storepass storepass] {-providerName provider_name} {-providerClass provider_class_name {-providerArg provider_arg}} {-v} {-protected} {-Jjavaoption}

Reads the certificate or certificate chain (where the latter is supplied in a PKCS#7 formatted reply or a sequence of X.509 certificates) from the file cert_file, and stores it in the keystore entry identified by alias. If no file is given, the certificate or certificate chain is read from stdin.

keytool can import X.509 v1, v2, and v3 certificates, and PKCS#7 formatted certificate chains consisting of certificates of that type. The data to be imported must be provided either in binary encoding format, or in printable encoding format (also known as Base64 encoding) as defined by the Internet RFC 1421 standard. In the latter case, the encoding must be bounded at the beginning by a string that starts with "-----BEGIN", and bounded at the end by a string that starts with "-----END".