Certificate to java keystore
Question
I have been given a certificate and asked to use it to make http calls via my application (I'm using Mule which is based off Java).
The certificate I've been given is a .cer file. It is a certificate specific to my company which I think means that it has the public key of that server.
The company who have given my the CER file have given me a password to it. eg abc1234
To use it I first ran the command as shown below...
keytool -importcert -file myCert.cer -keystore keystore.ks -alias 1
I then plonked it into my code as follows...
<http:request-config name="HTTP_Request_Configuration" protocol="HTTPS" host="hostname.com" port="443" doc:name="HTTP Request Configuration">
<tls:context>
<tls:key-store type="jks" path="keystore.ks" alias="1" keyPassword="changeit" password="changeit"/>
</tls:context>
</http:request-config>
When I call that endpoint in my application I get 'Error 403: Missing authentication'.
I never had to enter in the password 'abc1234' anywhere throughout this process and I'm thinking that is why I'm getting the 403. Where does that password need to be provided?
thanks
3 answers
solution1
1 2017-12-12 12:49:40
Thanks all for your feedback. All the answers and comments here definitely helped me.
In the end I found out that certificates do not have password (as mentioned in the comments) and that the password listed was not relevant.
I ended up finding out that the 403 was caused by an SSL handshake error and that it was not finding the CA certificate.
I was only able to find that out by turning on the SSL handshake logs.
solution2
-1 2017-12-11 08:43:47
Certificate files are not password-protected. Key stores are. So it's possible that what they sent you is not a certificate, but a complete key store. Such a key store might have been intended to support TLS client authentication—authentication with a key pair—instead of a password.
A certificate carries half of a key pair. To use it for authentication, one also needs the private key. Normally, to obtain your own certificate, you'd generate the key pair yourself and send the public key to someone to be bound together with your identity as a certificate. The standard format for sending your public key is called a CSR, or certificate signing request.
The Java keytool allows you to generate a key pair, and a CSR for that key, then later, you can import a fully signed certificate. Did you do any of these steps? It would also be possible for someone to do this process for you, and send a complete key store, but then they know "your" private key too.
Alternatively, the certificate you received may be so that your client can authenticate the server, and the password is what you are supposed to use to authenticate your client after you connect, and isn't protecting the file at all. But if the certificate really has your identity in it, as you say, this doesn't make sense.
solution3
-1 2017-12-11 08:50:02
You should have added it to your truststore, not your keystore. It is a certificate to be trusted, not to be used as your own certificate. It isn't your own certificate.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.