I want a server to validate a client through a certificate. I have the certificate user_cert.pem and the key user_cert.pkey stored locally.
How will i do an httpsURLconnection authenticating the client to the server?
I have searched, but i am a little bit confused. I found this link .
The problem is that my certificate is in *.pem format.
Should i set the KeyStore like this?
KeyStore ks = KeyStore.getInstance("PEM");
Sorry, if i give vague information, but i think there is not enough documentation.
I found a post describing
android supports certificates only in BKS Format and if we have certificates in PEM format, we should change them into BKS format through the Portecle GUI software.
I just ask for any source for information about client certificates in PEM format in android .
First thing first, your private key won't be private anymore if your application is distributed because it can be extracted from an APK easily.
80% of the code needed for using client certificates is in the official Android documentation (Unknown certificate authority).
Then, instead of the part with TrustManagerFactory, use a KeyManagerFactory and call sslContext.init(kmf.getKeyManagers(), null, null);.
FYI:
CRT/PEM is the same certificate format. Only the file extension changes.
BKS is the Android equivalent of JKS because JKS are not usable in Android.
Related
Some quick background on what I'm trying to do: a client is using a third party web service that requires mutual authentication. The service requires the client certificate be signed by a public certificate authority (ie: not self-signed). The client has some software written in Java that connects to the service, hence they used Java keytool to generate the original signing request and the key/certificate are stored in a jks keystore.
Our software that the client is going to be using is written in C#/.NET and will need to connect to the third party web service. As such we will we need to be able to access the client certificate.
I can't seem to find any way to export the certificate (along with private key) to either the Windows Certificate Manager or some other format that can be opened by .NET security libraries.
Exporting to a PKCS12 file does not work because keytool does not support it for trusted certificates (not sure if that is a keytool limitation or a limitation of the format).
I also found some Java code for getting the private keys, but I can't seem to figure out how I can get that into Windows Certificate Manager and associate it with the certificate. (How do I list / export private keys from a keystore?)
As a side note, the client doesn't want to generate a new certificate as there is a whole process involved in sending it to and getting it approved by the third party service they are connecting to.
Ultimately I'm hoping there are some commands I can run with keytool/openssl/etc that will allow the certificate & key to be exported/transferred into the Windows Certificate Manager (or some format that it can import).
(Sorry if my terminology is off or if some of this doesn't make sense. I kind of got stuck supporting this despite not being all that familiar with managing certificates.)
This seems to work for exporting the certificate but not the entire chain, the trick is to specify the srcalias:
keytool -v -importkeystore -srckeystore .keystore -srcalias mykey -destkeystore myp12file.p12 -deststoretype PKCS12
Thanks to Warren for pointing me to this: How to export private key from a keystore of self-signed certificate
I have certificate from GlobalSign.com ( .pem file). This file consists of 2 certificates inside (I've examined it with Portecle). Using Portecle I created BKS keystore and tried to use it in the app. I have read many different tutorials with similar topic. I've tried:
Security with HTTPS and SSL
One more solution
Using a Custom Certificate Trust Store on Android
Android: Trusting SSL certificates
others
Any solution didn't work, and I still have "Error: Not trusted server certificate". Maybe You have any idea what I'm doing wrong.
P.S. There are a lot of trust-all 'solutions', but I need proper solution
It is difficult to say exactly why you are having the issue but it sounds like you do not have the private key, the certificate you received from GlobalSign, I presume you generated the CSR? If so you will need to import the .pem file that you received back from GlobalSign the same method, if you did not generate the CSR from a private key within you BKS keystone then it would not be a trusted certificate.
That is what I think is going on anyway
Problem was solved. I have asked technical support of GlobalSign about certificates. They made some tests and took recommendations how to configure certificates on server side. Android part wasn't changed
I have been trying to get openSSL/JSSE from Cpp to Java working for weeks. If I can't find a solution I am just going to disregard the whole idea. No matter what I seem to do I keep getting a "sslv3 alert certificate unknown" error. I have a self signed key that works fine on the server en of things but I get the error when connecting to OpenSSL's s_server utility. I have been looking for a solution for weeks. Help would be appreciated! I have a self-signed crt file and a server.key file. I put the cert in the java keystore but I still get the error
Your self signed certificate is probably what is causing your problem.
This site has basic dirty instructions on creating a CA and this site has similar instructions but is a little more verbose.
Here's the way you need to have this play out:
Create your CA
Create your certificate for the server
Create two keystores,
Server keystore containing the server private key, server public certificate (signed by the CA), and the CA certificate.
Client keystore containing only the CA certificate.
This site gives you the system properties needed to configure the java engine to use the keystores as well key stores and trust stores. The trust store will be needed on both ends to allow correct verification of the certificates in question.
As far as the s_client utility, you will have to use the -CApath option to point to the directory containing the CA Certificates you trust or -CAfile to point to your self signed CA as trusted.
Just comment back if you need more help. This is frustrating but once you get the basics down you'll be a pro in no time.
Suppose I have an application which in some way retrieves a client certificate (private/public key pair) at runtime via a secure channel (so I don't have this client certificate at build time).
How can I use this client certificate for client authentication without using keytool and not using some on persistent/ondisk keystore. So I do not want (actually I can't) to import it using a command line keytool?
Actually I want to replicate the functionality done in libcurl. You just set the client certificate (with private key) and your done. It doesn't involve a keystore.
All this has to be done in Java/Android.
You can do it in Java by defining your own KeyManager as described in the JSSE Reference Guide. I can't speak for Android.
I just got this working and I dont think you'll be very happy with my answer but it does work :)
So the hard part is to get the pkcs12 certificate you need to perform client authentication, if your certificate is already in pkcs12 then you've got all the hard stuff out of the way and you can refer to the second answer on SSL client authentication in Android to see how to use that certificate.
if you just have a public private key pair and not a pkcs12 certificate then you will need to make one. As far as I could tell there is no way in java/android to create this certificate so you need to use the android NDK and openssl.
if you download the openssl-android project from https://github.com/guardianproject/openssl-android you can use it to build openssl. By default it compiles as a .so shared object but only some of the android devices I tried to run this code on were able to link against libcrypto, so, although im sure there is a better way I went into the Android.mk files and replaced include $(BUILD_SHARED_LIBRARY) with include $(BUILD_STATIC_LIBRARY) in a few places so that I could compile a .a static library.
I then used the info from Android NDK: Link using a pre-compiled static library to link the libcrypto.a I compiled to my native code.
This native code uses openssl to first create an X509 certificate and then uses it to create a PKCS12 file which can be used in the manner I mentioned before located at SSL client authentication in Android
first you need to get your public and private keys into native land as EVP_PKEY pointers which can happen in a variety of ways based on what format your keys are in then you can use the following code to create an X509 certificate
X509 *public_key_cert = X509_new();
X509_gmtime_adj(X509_get_notBefore(public_key_cert),0);
X509_gmtime_adj(X509_get_notAfter(public_key_cert), (long) 60*60*24*365);
X509_set_pubkey(public_key_cert,evp_pub_key);
This creates the most minimally valid X509 certificate which is valid for 1 year. You may want to do other stuff like sign the certificate if you are going to run your own certificate authority, or set any of a large set of headers which contain various bits of information.
next you need to create the pkcs12 certificate using the X509 cert like this:
PKCS12 *pkcs12 = PKCS12_create(password, "Some Sort of Friendly Name", evp_priv_key, public_key_cert, NULL, 0, 0, 0, 0, 0);
password is a char* containing the password which will be used to encrypt the private key using triple-DES
Now that you have a pkcs12 certificate you can go over to SSL client authentication in Android and get client authentication going.
Good Luck!
I have a problem with a keystore in pkcs12 format, which contains a private key I need to use to authenticate myself (using mutual authentication) to a remote SSL server. The keystore file can be read perfectly fine by Firefox, and when used, I can access the remote server without problems.
However, my Java program does not work with the keystore file. And if I use keytool to list keys inside the file, it seems empty -- while it is clearly not!
How can I get Java/keytool to see the private key inside the keystore?
Java can only understand JKS format which stands for Java KeyStore.
Here is a good article to generate the .jks from pkcs12
http://blog.asyd.net/2009/07/how-to-convert-a-pkcs12-to-jks/