Received fatal alert: bad_certificate
You need to add the root cert to the keystore as well.
highflyer
Updated on July 14, 2022Comments
-
highflyer almost 2 years
I am trying to setup a SSL Socket connection (and am doing the following on the client)
I generate a Certificte Signing Request to obtain a signed client certificate
Now I have a private key (used during the CSR), a signed client certificate and root certificate (obtained out of band).
I add the private key and signed client certificate to a cert chain and add that to the key manager. and the root cert to the trust manager. But I get a bad certificate error.
I am pretty sure I am using the right certs. Should I add the signed client cert to the trust manager as well? Tried that, no luck still.
//I add the private key and the client cert to KeyStore ks FileInputStream certificateStream = new FileInputStream(clientCertFile); CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); java.security.cert.Certificate[] chain = {}; chain = certificateFactory.generateCertificates(certificateStream).toArray(chain); certificateStream.close(); String privateKeyEntryPassword = "123"; ks.setEntry("abc", new KeyStore.PrivateKeyEntry(privateKey, chain), new KeyStore.PasswordProtection(privateKeyEntryPassword.toCharArray())); //Add the root certificate to keystore jks FileInputStream is = new FileInputStream(new File(filename)); CertificateFactory cf = CertificateFactory.getInstance("X.509"); java.security.cert.X509Certificate cert = (X509Certificate) cf.generateCertificate(is); System.out.println("Certificate Information: "); System.out.println(cert.getSubjectDN().toString()); jks.setCertificateEntry(cert.getSubjectDN().toString(), cert); //Initialize the keymanager and trustmanager and add them to the SSL context KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509"); kmf.init(ks, "123".toCharArray()); TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509"); tmf.init(jks);
Is there some sort of certificate chain that I need to create here?
I had a p12 with these components as well and upon using pretty similar code, adding the private key to the keymanager and the root cert from p12 to the trust manager I could make it work. But now I need to make it work without the p12.EDIT: Stack trace was requested. Hope this should suffice. (NOTE: I masked the filenames)
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174) at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1720) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:954) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1138) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1165) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1149) at client.abc2.openSocketConnection(abc2.java:33) at client.abc1.runClient(abc1.java:63) at screens.app.abc.validateLogin(abc.java:197) ... 32 more
-
user207421 almost 12 yearsHe is 'opening the connection as usual' and it isn't working. He isn't using HTTPS. You don't need a HostnameVerifier for SSL, only for HTTPS. The one you have posted is radically insecure and should be so noted, or not posted at all. Not an answer.
-
highflyer almost 12 yearsThanks again. I added the client cert and private key to the first keystore (k1) and then k1 to the keymanagerfactory. Then the root cert to keystore (k2) and k2 to the trustmanagerfactory
-
user207421 about 6 yearsWell of course you did. There is no default keystore. Not an answer to this question.
-
Jaroslav Záruba almost 3 yearsI agree this is not an answer to the question, however it is related and may help those who stumble on this post by way of general "bad_certificate" search. That's exactly my case.