CA-Signed certificate: Received fatal alert: bad_certificate
843811Dec 17 2008 — edited Jan 9 2009Hello. I am still trying to get rmi ssl to work in the way I want (see my post http://forums.sun.com/thread.jspa?threadID=5351278&tstart=15 ).
I read that CA signed certificates are preferred to self signed certificates due to several reasons. Due to the fact, that I want to run a lot of different services, each with an own certificate, it is out of question to let them be signed by a real CA (for now all is in a testing environment and once I have solved all the problems this might become an option).
So for now, I create my own certificate authority and sign the certificates for my services (who interact with each other via ssl).
If there is a flaw in my setup, please tell me. If not continue reading.
In my scenario, a service A is querying a server S to discover a service B. S sends all the information about B back to A, including the certificate of B (so A can use ssl to talk to B). I use client authentication.
Each component uses a keystore, which acts as a truststore at the same time.
When I use self signed certificates and import them to the other keystores (using keytool) everything works as it should.
My setup using ca-signed certificates fails.
At the beginning the server has all the certificates in his keystore (A & B & S, which were signed with the servers secret key, who acts as my CA). A contains the servers certificate and his own, which has been signed with the servers private key (A &S). B contains the servers certificate and his own, which has been signed with the servers private key (B & S).
As far as I understand ssl, if A wants to talk to B, it needs the certificate of B (and needs to trust it).
In my scenario, A is receiving the certificate of B, when it queries the server for information about B. The certificate is imported into As keystore (works), but the method call fails with:
javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
Is rmi ssl creating and using selfsigned certificates from the private keys in the keystore? Maybe I made a mistake, but I don't see it.
A has a certificate of B (and trusts it, because it was signed by an authority whose certificate is trusted from the beginning). B should trust the certificate of A (because it was signed by the same authority). So why is there a bad certificate?
My guess is, in the ssl handshake, A is using his private key to create a self signed certificate and is sending this to B. B has no reason of trusting a self-signed certificate and the handshake fails.
If you have any ideas, I appreciate them a lot.