How to disable self signed certificate at client in java?

Question

I am having genuine certificate "salientrisk.crt" and "salientrisk.key" , Server is configured as SSL server with these certificate , now on client side if i have the same certificate then only it should be able to do handshake other wise it should fail , it should not allow client to connect with server .

How to make handshake between client and server by using public /private keys .

Problem is if i am passing here self signed certificate then also its working , which i don't want .

I am using the following piece of code in main class :

    SSLContext sslContext = null;
                    try{
                        sslContext = SSLContext.getInstance("SSL");
                        ServerTrustManager serverTrustManager = new ServerTrustManager();
                        sslContext.init(null, new TrustManager[]{serverTrustManager}, null);

                    }catch(Exception e){
                        logger.error("Error while getting SSL context", e);
                    }


=================================================


package com.common.restclient;


import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;

import javax.net.ssl.X509TrustManager;

public class ServerTrustManager implements X509TrustManager{

    @Override
    public void checkClientTrusted(X509Certificate[] chain, String authType)
            throws CertificateException {
        // TODO Auto-generated method stub

    }

    @Override
    public void checkServerTrusted(X509Certificate[] chain, String authType)
            throws CertificateException {
        // TODO Auto-generated method stub
        X509Certificate cert=null;


        try (InputStream inStream = new FileInputStream("SSLCertificate/salientrisk.crt")) {
            CertificateFactory cf = CertificateFactory.getInstance("X.509");
            cert = (X509Certificate)cf.generateCertificate(inStream);
        } catch (FileNotFoundException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        } catch (IOException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        }

        cert.checkValidity();
        cert.getIssuerUniqueID();
        cert.getSubjectDN();



    }

    @Override
    public X509Certificate[] getAcceptedIssuers() {
        // TODO Auto-generated method stub
        return null;
    }

}

score 1 · Answer 1 · answered Feb 16 '16 at 09:08

1

It is possible your key pair in your server is also self signed, and the one you are trying to testing with has the same parent cert ca

answered Feb 16 '16 at 09:08

mel3kings

8,857
3
60
68

My server is also configured with genuine certificate "salientrisk.crt" and "salientrisk.key" . So i want to stop any self signed certificate and which is not matching with my server certificate . Pls tell me if you any solution for this . How can i implement in java . – Feb 16 '16 at 09:10

score 0 · Answer 2 · answered Feb 16 '16 at 06:22

0

You are looking for certificate pinning. Check out https://github.com/ikust/hello-pinnedcerts for test code.

answered Feb 16 '16 at 06:22

Aniket Thakur

66,731
38
279
289

I have my certificate only .crt and .key other formats i don't have . – Feb 16 '16 at 06:32

How to disable self signed certificate at client in java?

2 Answers2