I have a Java client trying to access a server with a self-signed certificate.
When I try to Post to the server, I get the following error:
unable to find valid certification path to requested target
Having done some research on the issue, I then did the following.
Saved my servers domain name as a root.cer
file.
In my Glassfish server's JRE, I ran this:
keytool -import -alias example -keystore cacerts -file root.cer
To check the cert was added to my cacert successfully, I did this:
keytool -list -v -keystore cacerts
I can see the cert is present.
I then restarted Glassfish and retried the 'post'.
I am still getting the same error.
I have a feeling this is because my Glassfish is not actually reading the cacert
file that I have amended but maybe some other one.
Have any of you had this issue and can push me in the right direction?
Unfortunately - it could be many things - and lots of app servers and other java 'wrappers' are prone to play with properties and their 'own' take on keychains and what not. So it may be looking at something totally different.
Short of truss-ing - I'd try:
java -Djavax.net.debug=all -Djavax.net.ssl.trustStore=trustStore ...
to see if that helps. Instead of 'all' one can also set it to 'ssl', key manager and trust manager - which may help in your case. Setting it to 'help' will list something like below on most platforms.
Regardless - do make sure you fully understand the difference between the keystore (in which you have the private key and cert you prove your own identity with) and the trust store (which determines who you trust) - and the fact that your own identity also has a 'chain' of trust to the root - which is separate from any chain to a root you need to figure out 'who' you trust.
all turn on all debugging
ssl turn on ssl debugging
The following can be used with ssl:
record enable per-record tracing
handshake print each handshake message
keygen print key generation data
session print session activity
defaultctx print default SSL initialization
sslctx print SSLContext tracing
sessioncache print session cache tracing
keymanager print key manager tracing
trustmanager print trust manager tracing
pluggability print pluggability tracing
handshake debugging can be widened with:
data hex dump of each handshake message
verbose verbose handshake message printing
record debugging can be widened with:
plaintext hex dump of record plaintext
packet print raw SSL/TLS packets
Source: http://download.oracle.com/javase/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#Debug