hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Julius Davies" <juliusdav...@gmail.com>
Subject Re: Certificate Based Client Authentication
Date Thu, 08 Mar 2007 15:27:26 GMT
Hi, Lalit,

Consider downloading "not-yet-commons-ssl-0.3.7.jar"  from here:


With "not-yet-commons-ssl-0.3.7.jar" on your classpath, you can do this:

char[] pwd = "secret".toCharArray();
KeyMaterial km = new KeyMaterial( "/path/to/client_cert.p12", pwd );
TrustMaterial tm = new TrustMaterial( "/path/to/server_cert.pem" );

HttpSecureProtocol sf = new HttpSecureProtocol();
sf.setKeyMaterial( km );
sf.addTrustMaterial( tm );
// Alternatively, if you want to disable Java's standard "cacerts", you
// can use setTrustMaterial() instead of addTrustMaterial():
// sf.setTrustMaterial( tm );
ProtocolSocketFactory psf = sf;
Protocol specialHttps = new Protocol("https-special", psf, 443);
Protocol.registerProtocol("https-special", specialHttps);

// From this point on, HttpClient will use the client cert specified
// for all URL's of the form "https-special://".

If you don't have the server's X509 certificate on hand, you can
download the certificate straight from the server by using the
"not-yet-commons-ssl" Ping utility, documented here:


However, be aware that acquiring and trusting a certificate in this
way is not secure, since someone could impersonate the server in that
one moment.  It's better to acquire the server certificate
"out-of-band" through the mail or encrypted zip file or something like

If you must acquire the certificate using the "Ping" utility, at the
very least call the server's administrator and verify the fingerprint
of the certificate you downloaded!

* * *

The rest of this email explains how to do things without

It's possible to do what you're doing without
"not-yet-commons-ssl-0.3.7.jar", and just using the contrib
AuthSSLProtocolSocketFactory alone.  If you want to do things that
way, create a special "TrustStore" JKS file and import the server's
certificate into it like so:

keytool -import -file x509.pem -keystore my_new_truststore.jks

The "x509.pem" file should look like this, but with several lines of
base64 - not just those two lines I've put in this example.


Keytool is a bit picky and might get upset if the PEM file contains
ANYTHING before or after the "BEGIN" and "END" lines, including
whitespace.  Make sure there are no extra line-feeds or carriage
returns before and after the "BEGIN" and "END".

Once you have both the "keystore" and "truststore" ready (both are
java keystore files), you can do this:

URL keystore = new URL( "file:///path/to/keystore.jks" );
URL truststore = new URL( "file:///path/to/truststore.jks" );
String key_pwd = "secret";
String trust_pwd = "changeit";		

AuthSSLProtocolSocketFactory sf;
sf = new AuthSSLProtocolSocketFactory( keystore, key_pwd, truststore,
trust_pwd );

If your client certificate is in PKCS12 format (e.g. *.pfx or *.p12)
after exporting from a browser, you can use the KeyStoreBuilder
utility in "not-yet-commons-ssl-0.3.7" to convert it to "Java
Keystore" format on the command line.  The original
AuthSSLProtocolSocketFactory in HttpClient's "contrib" cannot deal
with PKCS12.

java -cp not-yet-commons-ssl-0.3.7.jar org.apache.commons.ssl.KeyStoreBuilder

Good luck!



On 3/8/07, Roland Weber <ROLWEBER@de.ibm.com> wrote:
> Hello Lalit,
> Julius Davis has written some detailed mails about SSL in the last months.
> You may have to search the developer list as well as the user list.
> best regards,
>   Roland


Julius Davies

To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org

View raw message