1

I have created a keypair with keytool for client authentication. From this file I exported the public key as certificate for the server to authenticate the client.

Client setup:
Loaded the server certificate into a truststore file and used the keystore file as keystore. The client works when I load truststore and keystore via code with SSLContext and using Apache HttpClient:

KeyStore keyStore = KeyStore.getInstance("JKS");
              keyStore.load(new FileInputStream("keystore"), keyPassphrase.toCharArray());
              SSLContext sslcontext = SSLContexts.custom()
                .loadTrustMaterial(new File("truststore"), trustPassphrase.toCharArray(),
                        new TrustSelfSignedStrategy())
                .loadKeyMaterial(keyStore,keyPassphrase.toCharArray())
                .build();
SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(
                sslcontext,
                new String[] {"TLSv1"},   
                null,
                SSLConnectionSocketFactory.getDefaultHostnameVerifier());
              CloseableHttpClient httpclient = HttpClients.custom()
                .setSSLSocketFactory(sslsf)
                .build();

The ssl output shows that the client presents the certificate chain. Setting the keystore with SoapUI also works fine.

My Problem: Providing the same truststore and keystore via vm-arguments (not using SSLContext) I see that the client doesn't present the certificate chain in the ssl output.
VM args: 

    -Djavax.net.debug=ssl 
    -Djavax.net.ssl.keyStoreType=JKS 
    -Djavax.net.ssl.keyStore=keystore 
    -Djavax.net.ssl.keyStorePassword=keystorepw
    -Djavax.net.ssl.trustStoreType=jks 
    -Djavax.net.ssl.trustStore=truststore 
    -Djavax.net.ssl.trustStorePassword=truststorepw
Improve this question

1 Answer 1

Reset to default
0

You seem to have a typo in your VM argument: you have trustore as the arg value, whereas your code used truststore. I hope it really is this simple.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks for pointing out the typo - but this isn't the reason. And I am more worried about the keystore... as this doesn't seem to present the certificate to the server.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.