0

I want to create SSL connection. I have created .cer file from .ks file using the keystore explorer 5.4.4. Used below code for creating the SSLContext. loadKeyMaterial method has tried with and without pwd.

InputStream keyStoreStream = new FileInputStream("D:\\certificate\\some.cer");
KeyStore keyStore = KeyStore.getInstance("JKS"); // or "PKCS12"
keyStore.load(keyStoreStream, "pwd".toCharArray());
SSLContext sslContext = SSLContexts.custom().loadKeyMaterial(keyStore, null).build();
CloseableHttpClient httpClient =HttpClients.custom().setSSLContext(SSLContext).build();

httpClient is being used to call api.. I get following error and i am sure generated certificate does not have any issues...

java.io.IOException: Invalid keystore format
at sun.security.provider.JavaKeyStore.engineLoad(Unknown Source)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(Unknown Source)
at sun.security.provider.KeyStoreDelegator.engineLoad(Unknown Source)
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(Unknown Source)
at java.security.KeyStore.load(Unknown Source)

I have also tried with custom SSLSocketFactory...

char[] password = "pwd".toCharArray();
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(null, null);
FileOutputStream out = new FileOutputStream("certificate_path.cer");

keyStore.store(out, password);
SSLContext sslContext = SSLContexts.custom()
        .loadKeyMaterial(keyStore, password)
        .loadTrustMaterial(null, new TrustSelfSignedStrategy())
        .build();
SSLConnectionSocketFactory sslConnectionFactory = new SSLConnectionSocketFactory(sslContext, new String[] { "TLSv1.2" }, null,
        SSLConnectionSocketFactory.getDefaultHostnameVerifier());
CloseableHttpClient httpClient = HttpClients.custom().setSSLSocketFactory(sslConnectionFactory).build();

httpClient is being used to call api.. but here I get some other error....

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alert.createSSLException(Unknown Source)
at sun.security.ssl.TransportContext.fatal(Unknown Source)
at sun.security.ssl.TransportContext.fatal(Unknown Source)

Keystore explorer .ks file view

Export Certificate

lalit lakhchaura
  • 1
  • 2

1 Answers1

0

httpClient is being used to call api.. but here I get some other error... Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

You've to add the issuer certificates into the keystore. Issuer certificate will be use to validate the identity of target server to whom your system trying connecting to. For more details please refer to the following link.

https://stackoverflow.com/a/63491078/9926179

b.s
  • 2,409
  • 2
  • 16
  • 26
  • Many thanks Harry. Instead of doing it manually, I wanted to do programmatically. My use case is bit different and Its not mentioned here. I could have limited instances of httpClient and probably instances, could have different certificate. – lalit lakhchaura Jun 11 '22 at 05:57
  • There won't be a much difference even going with the programmatic approach. Just instead of using the default keystore, you've to put the verifier certs in a keystore loaded in SSLContext. – b.s Jun 11 '22 at 12:30