Thursday, June 11, 2009

How to use SSL with a client certificate in Java

I recently had to access a server (a web service to be specific but this doesn't matter) with a custom client certificate in Java. I never worked with SSL in Java so this was some challenge but I finally managed it. I also found most of the resources on the web rather unhelpful or at the least my specific use case was nowhere covered on the whole. So here is how I did it. Please note my instructions refer to Java 6 SE only.

Let me start at the end. What you need for SSL in Java is a keystore containing your private key information and a trust store containing the certificates you trust. When you access a secure site with a browser and the certificate authority (CA) that signed the site's certificate is unknown to the browser you get a prompt whether you trust this certificate or not. The trust store is the equivalent of you accepting a new certificate in a web browser. This is only needed in cases where you signed the certificate yourself.

The rest of this article assumes the file that represents the keystore is named keystore.jks and the file that represents trust store is named cacerts. The default format of the keystore is the proprietary Java KeyStore format, hence the .jks suffix. Java KeyStores are created with the keytool which is shipped with every Java 6 SDK.
Note: If you don't specify a file for the keystore, a file is created for you in your home directory (in Linux it's ~/.keystore). In this case you don't need to set up anything special in your Java program because this keystore is automatically searched for in case you try to establish a secure connection. I deliberately use my own file because it's a little bit more flexible—especially in development environments. There also exists a global trust store. You can find it under <jdk-install>/jre/lib/security/cacerts. I don't recommend to tamper with this file for development purposes. At the very least backup this file before you modify it.

Anyway, how do we create these two stores?

At first I assume you have a signed client certificate in e.g. PEM format. This means the content of the certificate will look something like this:

-------- BEGIN CERTIFICATE ----------
// lots of base64
-------- END CERTIFICATE ------------
-------- BEGIN RSA PRIVATE KEY ------
// lots of base64
-------- END RSA PRIVATE KEY --------

I'll refer to this file with the name client-cert.pem.
I think it doesn't really matter if the file has another format because you can convert many of these formats to PEM with one of the OpenSSL utilities. We're going to need these tools anyway.

The first approach I used does NOT work:

keytool -importcert -keystore keystore.jks -file client-cert.pem

The resulting file contains no information about the private key. Somehow only the certificate gets imported or something. You can easily verify this by issuing the following command:

keytool -list -v -keystore keystore.jks

This lists the entry type trustedCertEntry. What we need is PrivateKeyEntry.
To be honest I don't really understand this behaviour and it took me hours to realize that this step was the reason SSL didn't work for me.

At first we have to create a certificate in PKCS#12 format. With OpenSSL we can achieve this like that:

openssl pkcs12 -export -in client-cert.pem -out client-cert.p12

You get a prompt to enter a password. It is possible to leave this empty and theoretically you could do that because this file is only an intermediate file for your Java KeyStore. Don't leave the password empty! keytool doesn't like empty passwords so you definitely have to provide one. Just use password or something.

Now you get a new file client-cert.p12. Next we can create the keystore:

keytool -importkeystore -srckeystore client-cert.p12 -srcstoretype PKCS12 -destkeystore keystore.jks

You get prompted for the password for the PKCS#12 certificate (this is the point where an empty password is fatal) and another one for your new keystore. It is not possible to enter a password with less than six characters. If you check with the above used -list command you can see that this time the entry type is correct.

If you use a self signed certificate you need to create an appropriate trust store. I refer to this blog post. I used the program InstallCert with a few modifications (basically I changed some file paths because I wanted my very own trust store as I mentioned before). I hope this provides no difficulties.

Now we want to use these two files in our Java program. This is quite easy to accomplish. There are four properties we need: and for the file locations of our key and trust store respectively. The passwords to the files are provided with and

You set these properties either before you start the JVM like this:

java etc.

or in your code like this:

System.setProperty("", "/path/to/keystore.jks");
System.setProperty("", "password");
// etc.

Well, I hope this helps someone. This took me quite some time to figure out.

Sunday, June 7, 2009

Slashdot in Opera

I'm a longtime Opera user that still refuses (and hopefully always will) to switch to Firefox. I just don't see any need for it. I'm sort of proud of it and regularly advertise it without trying to be too nagging. I believe in freedom of choice so use what you want, be it Safari or IE or lynx.

But one thing that has always been bugging me is the browsing experience of Slashdot in Opera. There is just one word for it: abysmal. I don't understand how a site can honestly proclaim to have "News for nerds" without paying respect to a few standards regarding the layout and design of the site. Right now the main page doesn't validate with 84 errors. Now I dont't think that validation is everything (although I'm a fan of it). But I think that every site owner should check that his site looks and feels good in every major browser. And even that is only partly necessary because in today's software world with all its reusing of components many browsers share the same layout engine (Gecko, KHTML/WebKit, Trident, Presto, …).
Anyway… the design of Slashdot is quite broken. The "new" discussion system D2 doesn't really work. I really like it because it enables you to fold in and out comments on the fly without having to reload an entire page which is much faster. But after opening and closing a comment certain elements of the page disappear. At least it used to be the case. Right now it doesn't work at all. Clicking the headline of a comment opens a new page with the comment in question.
A few days ago I had the error that headlines of all comments were white on white background. Every time I wanted to see the titles or scores I had to highlight it which was very annoying. It also seemed to be limited to certain categories of the site but I didn't look for it and thank god this issue seems to be fixed anyway.
But now something new appeared: Weird graphics appear in the corners of many comments (see screenshot below).

These strange elements seem to be part of this bigger graphics file. Although the file name suggests something about controls, in Opera these annoying things serve no purpose. I noticed that Chrome has these as well but not IE6 (I have no newer version at hand).
The tag system also doesn't work. Upon hovering the keywords there used to appear some "things" (category highlighters or something, I never knew what they were supposed to be/do) but right now nothing happens anymore. Then again I never used the tags so I don't really care about this issue.

I really don't see why the site gets online like that. Especially a site for nerds. Of course the right course of action would be to file a few bug reports. The reason I didn't do it in the past is that these bugs are just obvious. The don't require long steps to reproduce. You just open the site and they slam you in the face.

From the comments of Opera related news one can easily see that there are quite a few Opera users on Slashdot. Also Opera is quite nice (see video) to Slashdot. Why can't Slashdot be nice to Opera?

Update: It got worse.

Update 2: It seems to be over. Could've been for a couple of days already but I didn't have much time to read Slashdot lately.