why doesn’t java send the client certificate during SSL handshake?

by

It’s possible that you may have imported the intermediate CA certificate into the keystore without associating it with the entry where you have your client certificate and its private key. You should be able to see this using keytool -v -list -keystore store.jks. If you only get one certificate per alias entry, they’re not together.

You would need to import your certificate and its chain together into the keystore alias that has your private key.

To find out which keystore alias has the private key, use keytool -list -keystore store.jks (I’m assuming JKS store type here). This will tell you something like this:

Your keystore contains 1 entry

myalias, Feb 15, 2012, PrivateKeyEntry, 
Certificate fingerprint (MD5): xxxxxxxx

Here, the alias is myalias. If you use -v in addition to this, you should see Alias Name: myalias.

If you don’t have it separately already, export your client certificate from the keystore:

keytool -exportcert -rfc -file clientcert.pem -keystore store.jks -alias myalias

This should give you a PEM file.

Using a text editor (or cat), prepare file (let’s call it bundle.pem) with that client certificate and the intermediate CA certificate (and possibly the root CA certificate itself if you want), so that the client-certificate is at the beginning and its issuer cert is just under.

This should look like:

-----BEGIN CERTIFICATE-----
MIICajCCAdOgAwIBAgIBAjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVSzEa
....
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIICkjCCAfugAwIBAgIJAKm5bDEMxZd7MA0GCSqGSIb3DQEBBQUAMDsxCzAJBgNV
....
-----END CERTIFICATE-----

Now, import this bundle back together into the alias where your private key is:

keytool -importcert -keystore store.jks -alias myalias -file bundle.pem

More Related Contents:

  1. Trusting all certificates using HttpClient over HTTPS
  2. How to fix the “java.security.cert.CertificateException: No subject alternative names present” error?
  3. Resolving javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed Error?
  4. Accept server’s self-signed ssl certificate in Java client
  5. Java: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  6. Java HTTPS client certificate authentication
  7. How to handle invalid SSL certificates with Apache HttpClient? [duplicate]
  8. How to programmatically set the SSLContext of a JAX-WS client?
  9. Does Java support Let’s Encrypt certificates?
  10. How to ignore PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException?
  11. Simple Java HTTPS server
  12. SSLHandshakeException: No subject alternative names present
  13. HttpGet with HTTPS : SSLPeerUnverifiedException
  14. How to force java server to accept only tls 1.2 and reject tls 1.0 and tls 1.1 connections
  15. Problems connecting via HTTPS/SSL through own Java client
  16. Java and HTTPS url connection without downloading certificate
  17. Whats an easy way to totally ignore ssl with java url connections?
  18. How to do an HTTPS POST from Android?
  19. How to convert certificate from PEM to JKS?
  20. PKIX path building failed in Java application
  21. Enabling specific SSL protocols with Android WebViewClient
  22. How do I do TLS with BouncyCastle?
  23. How can I know if the request to the servlet was executed using HTTP or HTTPS?
  24. Java SSLException: hostname in certificate didn’t match
  25. Using SSLContext with just a CA certificate and no keystore
  26. javax.net.ssl.SSLException: SSL handshake aborted Connection reset by peer while calling webservice Android
  27. Android SSL HttpGet (No peer certificate) error OR (Connection closed by peer) error
  28. Can we load multiple Certificates & Keys in a Key Store?
  29. How to override DNS in HTTP connections in Java
  30. Ignore self-signed ssl cert using Jersey Client [duplicate]

Leave a Comment