Client Authentication - Received fatal alert: bad_certificate
843811Nov 10 2006 — edited Jul 23 2007I am making a "secure" chat server that has some simple functionality.
For the server cert, I sent off the CSR to Thawte and set up the trust chain. That keystore seems to be fine:
Keystore type: jks
Keystore provider: SUN
Your keystore contains 2 entries
Alias name: verisigntestroot
Creation date: Nov 10, 2006
Entry type: trustedCertEntry
Owner: CN=Thawte Test CA Root, OU=TEST TEST TEST, O=Thawte Certification, ST=FOR TESTING PURPOSES ONLY, C=ZA
Issuer: CN=Thawte Test CA Root, OU=TEST TEST TEST, O=Thawte Certification, ST=FOR TESTING PURPOSES ONLY, C=ZA
Serial number: 0
Valid from: Wed Jul 31 20:00:00 EDT 1996 until: Thu Dec 31 16:59:59 EST 2020
Certificate fingerprints:
MD5: 5E:E0:0E:1D:17:B7:CA:A5:7D:36:D6:02:DF:4D:26:A4
SHA1: 39:C6:9D:27:AF:DC:EB:47:D6:33:36:6A:B2:05:F1:47:A9:B4:DA:EA
*******************************************
*******************************************
Alias name: server
Creation date: Nov 10, 2006
Entry type: keyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=TestServer, OU=Thawte SSL123 certificate, OU=Go to https://www.thawte.com/repository/index.html, OU=Domain Validated, O=TestServer
Issuer: CN=Thawte Test CA Root, OU=TEST TEST TEST, O=Thawte Certification, ST=FOR TESTING PURPOSES ONLY, C=ZA
Serial number: 76369fba895ca9f8f5b44dd1f28307ad
Valid from: Fri Nov 10 15:29:22 EST 2006 until: Fri Dec 01 15:29:22 EST 2006
Certificate fingerprints:
MD5: 5B:7D:EE:B3:0A:CC:7B:B8:A2:73:D3:96:FB:D3:43:ED
SHA1: E2:FD:31:00:D7:9D:F5:93:4E:99:D9:8B:C3:70:87:D9:CF:83:EC:36
Certificate[2]:
Owner: CN=Thawte Test CA Root, OU=TEST TEST TEST, O=Thawte Certification, ST=FOR TESTING PURPOSES ONLY, C=ZA
Issuer: CN=Thawte Test CA Root, OU=TEST TEST TEST, O=Thawte Certification, ST=FOR TESTING PURPOSES ONLY, C=ZA
Serial number: 0
Valid from: Wed Jul 31 20:00:00 EDT 1996 until: Thu Dec 31 16:59:59 EST 2020
Certificate fingerprints:
MD5: 5E:E0:0E:1D:17:B7:CA:A5:7D:36:D6:02:DF:4D:26:A4
SHA1: 39:C6:9D:27:AF:DC:EB:47:D6:33:36:6A:B2:05:F1:47:A9:B4:DA:EA
*******************************************
*******************************************
So next I want to set up my client. The professor said that it's fine to just give the clients all self-signed certs, so I ran:
keytool -genkey -alias client1 -keyalg RSA -keystore c1keystore -storepass client1 -keypass client1 -dname "o=jhu, cn=Client 1"
I assumed that I need to add the Thawte Root CA Cert to this keystore as well since I'm doing client authentication:
keytool -import -v -file ../server/thawtecert.txt -trustcacerts -keystore c1keystore -storepass client1
I start up the server, and then I attempt to connect with the client with these options:
-Djavax.net.ssl.trustStore=server/serverstore
-Djavax.net.ssl.keyStore=client/c1keystore
-Djavax.net.ssl.keyStorePassword=client1
Now when I attempt to connect to the server and write to the buffer, I get this error on the client side:
javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
And this error on the server side:
javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: null cert chain
If I connect to the server with these options, I connect fine:
-Djavax.net.ssl.trustStore=server/serverstore
-Djavax.net.ssl.keyStore=server/serverstore
-Djavax.net.ssl.keyStorePassword=server
I assume this means that I have done something very wrong creating the client's keystore. Does anyone know how I'm supposed to create it?