1

I am trying to configure SSL in my Java (Thrift) client. (mTLS) I need a truststore that contains my CA certificate, so that the client can trust the server certificate.

First I'm try to use openssl generate p12 file

openssl pkcs12 -export -in "ca.crt" -out "truststore.p12" -nokeys

But when connecting, I get: javax.net.ssl.SSLHandshakeException: No trusted certificate found

When i try use keytool

keytool -import -file ca.crt -alias ca -keystore truststore.p12

The connect is working

Server Code:

auto ssl_factory = std::make_shared<apache::thrift::transport::TSSLSocketFactory>(
        apache::thrift::transport::SSLProtocol::TLSv1_2);
ssl_factory->loadCertificate(cert.crt);
ssl_factory->loadPrivateKey(cert.key);
ssl_factory->loadTrustedCertificates(ca.crt);
ssl_factory->authenticate(true);
ssl_factory->server(true);
server_socket = new apache::thrift::transport::TSSLServerSocket(bind_address, port, ssl_factory);

Client Code:

TSSLTransportFactory.TSSLTransportParameters sslParam =
        new TSSLTransportFactory.TSSLTransportParameters("TLSv1.2", null, false);
sslParam.setKeyStore(cert.p12, password, "SunX509", "PKCS12");
sslParam.setTrustStore(truststore.p12, password, "SunX509", "PKCS12");
clientSocket = TSSLTransportFactory.getClientSocket(key.hostname, key.port, timeoutMs, sslParam);

Why is there a difference between the OpenSSL-generated PKCS12 (with only CA cert, -nokeys) and the keytool-generated PKCS12?

Why does Java not accept the OpenSSL version as a valid truststore?

It is working correctly now, so the code and the other certificates are not the problem.
I just want to understand the difference between a truststore.p12 generated with keytool and one generated with OpenSSL.
Did keytool apply some special handling that OpenSSL did not?

Improve this question
9
  • 1
    What does keytool -list -keystore truststore.p12 print? When I follow your steps it prints your keystore contains 0 entries. Commented Aug 29 at 7:29
  • sorry, maybe i'm not understand, please forgive me without -nokeys the command can't execute $ openssl pkcs12 -export -in "ca.crt" -out "truststore.p12" unable to load private key 140304383473472:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY Commented Aug 29 at 7:32
  • Ignore that, I was wrong. I still think there's something wrong with that openssl command, but I'm rusty enough not to know what it is. Commented Aug 29 at 7:45
  • 1
    ok, still thanks for your answer Commented Aug 29 at 8:47
  • The tutorial at SSL.com says you can't export .crt to .p12 without including the private key, It works but evidently nothing is actually done. But you have your keytool command. Commented Aug 30 at 8:12
Related questions
1673
Why does Java have transient fields?
1732
In detail, how does the 'for each' loop work in Java?
1415
Why is executing Java code in comments with certain Unicode characters allowed?
Load 6 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.