0

I am trying to connect to a SSL web server. We currently have a pkcs12 file and connect, that is our private-key and certificate. Is it possible to connect using Java code with a public-key and certificate. Imagine I have a file (it is digital but here is the pem output).

> Myfile.pk12 / Myfile.pem
> 
> -----BEGIN CERTIFICATE----- ...
> -----END CERTIFICATE-----
> 
> -----BEGIN ENCRYPTED PRIVATE KEY----- ...
> -----END ENCRYPTED PRIVATE KEY-----

And we can connect to the server with this:

import org.apache.commons.httpclient.DefaultHttpMethodRetryHandler;
import org.apache.commons.httpclient.params.HttpMethodParams;
import org.apache.http.HttpEntity;
import org.apache.http.HttpHost;
import org.apache.http.HttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.conn.params.ConnRoutePNames;
import org.apache.http.conn.scheme.Scheme;
import org.apache.http.conn.ssl.SSLSocketFactory;
import org.apache.http.conn.ssl.X509HostnameVerifier;
import org.apache.http.impl.client.DefaultHttpClient;


        KeyStore keyStore = generateKeyStore();
            System.out.println("==>" + keyStore);           
            SSLSocketFactory socketFactory = new SSLSocketFactory( 
                                            SSLSocketFactory.TLS,
                                            keyStore,
                                            KEYSTORE_PASSCODE,
                                            null,
                                            null,
                                            (X509HostnameVerifier) SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);

...

This works, but let's say we connect with the certificate and public key. Wouldn't Java internally create a private key based on the keystore we provide and that would allow us to connect? E.g.

> MyfileNEW.pk12 / MyfileNEW.pem
> 
> -----BEGIN CERTIFICATE----- ...
> -----END CERTIFICATE-----
> 
> -----BEGIN PUBLIC KEY----- ...
> -----END PUBLIC KEY-----

If the public key is embedded in the certificate? Can I use Java to send a request to the server without pre-creating a private key?

Berlin Brown
  • 11,504
  • 37
  • 135
  • 203

1 Answers1

1

If the server requires a 2-way (mutual) SSL connection (where the client must be authenticated by the server and the server must be trusted by the client), then you need to provide 2 keystores. One containing the private key and public certificate, and the other containing a list of trusted certificate authorities (CAs).

If the server allows 1-way SSL (where the client must trust the server), then you only need to provide one keystore containing a list of trusted CAs.

You can't create a private key from the public key. That would defeat the purpose.

Check out the documentation of SSLSocketFactory for more details.

But notice that this class is deprecated. It recommends that you use SSLConnectionSocketFactory instead.

gtrig
  • 12,550
  • 5
  • 28
  • 36
  • If you are using 2-way SSL. Can you setup the public/private key independent of the server setup? E.g. in openssl, you generate a self-signed certificate, and then the public/private key for the client. Is that all that is required? And then the server could setup their certificate/public key independently. – Berlin Brown Dec 11 '13 at 00:27
  • Usually, the server certificate is signed by a Certificate Authority (CA). The certificate from the CA needs to be in the trust store of the client. Then the client will trust the server certificate. Similarly, the client certificate needs to be trusted by the server. If the same CA signs both, then both the server and client can have the same trust keystore containing the CA certificate. The client certificate is often checked in the web server (ex. Tomcat). Additionally, the application on the server can impose other checks on the client certificate like verifying the DN, etc. – gtrig Dec 11 '13 at 00:45
  • One more question, let's say I follow the steps below (see the answer). I don't see the connection between the client (tomcat) and server (weblogic) certificates? http://stackoverflow.com/questions/16290992/two-way-ssl-with-tomcat-as-client-to-weblogic – Berlin Brown Dec 11 '13 at 13:52
  • In the example you linked to, both client and server had self-signed certs. This is an option, but not generally what is done if this is going to be a production application. The self-signed cert generated for the client (Tomcat) was added to the server's (Weblogic) trust keystore. That way, the server will trust the client explicitly. The server's cert was also added to the trust keystore, and both client and server use the same trust keystore. As I mentioned above, the other way to do this would be to have a CA sign the client cert and then place the CA cert in the server's trust keystore. – gtrig Dec 11 '13 at 18:01