Mutual SSL - getting the key/truststores in the proper formats

Question

I generated a CSR using OpenSSL:

openssl req -out MyCompanyCsr.csr -new -newkey rsa:2048 -nodes -keyout MyCompanyPrivateKey.key

So starting out, we have:

- MyCompanyPrivateKey.key
- MyCompanyCsr.csr

Then I sent it to our integration partner, who responded with 3 files:

- PartnerIntermediateCa.crt
- PartnerRootCa.crt
- MyCompanyCsr.crt

Now I need to connect to their web service using mutual SSL. To do this, I know I need to set the truststore and keystore in my SSLSocketFactory for JAXB.

I'm instantiating the keystore and truststore in Java using:

      KeyStore trustStore = KeyStore.getInstance("JKS");
      InputStream tsis = ClassLoader.getSystemResourceAsStream(trustStorePath);
      trustStore.load(tsis, "mypassword".toCharArray());
      tsis.close();

      KeyStore keyStore = KeyStore.getInstance("JKS");
      InputStream ksis = ClassLoader.getSystemResourceAsStream(keyStorePath);
      keyStore.load(ksis, "mypassword".toCharArray());
      if (ksis != null) {
        ksis.close();
      }

      TrustManagerFactory tmf =
          TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
      tmf.init(trustStore);

      KeyManagerFactory kmf =
          KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
      kmf.init(keyStore, "mypassword".toCharArray());

However, attempting to use this code in connecting to the server throws a SSLHandshakeException with the message http.client.failed :

com.sun.xml.ws.client.ClientTransportException: HTTP transport error: 
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

The keystore and truststore I'm using were exported from my browser, with the Client private key as a PKCS and the Server cert as a x509 Cert PKCS#7 w/ Chain'. Then opened them up in Portecle and exported them both as x509 Cert PKCS#7 w/ Chain'. Then opened them up in Portecle and exported them both as JKS` files.

Assuming the Java code is legit, how can I be sure I have correctly created the keystore and truststore ?

Thanks very much.

Answer 1

I finally figured this out. I used FireFox and Portecle .

Install the Server Certs and Private Key in the browser.

Note: One always confusing point: both the "truststore" and "keystore" are keystores as far as Portecle / Java goes. The only difference is the one we use as our keystore in the client is going to have our private keys in addition to the public certs.

TrustStore built with the server certificates:

• Go to a URL at the address, click next to the address bar (lock icon, showing SSL enabled)
• Security tab > View Certificate > Details tab > Export button
• Choose type: X.509 Certificate with chain (PKCS#7).

• Save somewhere as ffTestServerCert.crt

• Open in Portecle via: Examine menu > Examine Certificate > select ffTestServerCert.crt

• You can now see the certs contained in this (I see 3 for instance). Each needs to be exported by itself. Click arrow buttons at top of page and for each:
• Click "PEM Encoding" button
• Save button

• Save as .pem file on disk (for this example, say I have caCert1.pem, caCert2.pem, caCert3.pem)

• Create new Keystore in Portecle: File > New Keystore > JKS

• For each exported cert from above (caCert1.pem, caCert2.pem, caCert3.pem), do:
• Tools > Import Trusted Certificate > select the .pem > Import button
• Message box pops up saying we need to determine if we trust this certificate.
• Click Ok > Ok (if you trust the cert) > Yes > Enter alias (I left it at default) > Ok

• Repeat for any other certs you want to import (I did all 3).

• Save keystore in Portecle:

• File > Save Keystore as... >
• Enter truststore password twice
• Enter name to save it as, such as clientTrustStore.jks

Congrats, that's the valid truststore .

KeyStore built with the private key and server certificates:

• First import the private keys into FireFox (or Chrome or IE)
• Use the browser to export the private key in PKCS format.
• Firefox > Preferences > Advanced tab > Encryption tab > View Certificates > Your Certificates
• Select the one you want to export > click Backup button
• (Only option here is PKCS12 format, which is what we want)
• Choose a name - clientKeys.p12
• enter a password for the keystore

• Should say they were exported, click Ok

• Open keys in Portecle

• File > Open Keystore > choose clientKeys.p12 we saved above

• Enter password chosen above

• Convert to JKS using Portecle

• Tools > Change Keystore Type > JKS
• Read the warning message about how the current type doesn't support key-pair entry passwords
• Important: this action sets the inside password for the key-pair entries password .
• To change the password of the internal key-pair entries, select any 'key pair' in the file in Portecle (their icon will be a pair of keys, on on top of the other)
• Right click 'key pair entry' > Set Password
• Enter old password (which is 'password') and enter new passwords to what you want

• Hit Ok

• Save keystore :

• In Portecle do: File > Save Keystore As > enter name, such as clientKeyStore.jks
• Hit Save

Finished

Now you have the correctly-configured clientTrustStore.jks and clientKeyStore.jks for authenticating your client.

To see an example of how these can now be used, you can check out: SOAP with mutual SSL - how to send over credentials?