I have implemented a CA that has a self-signed certificate:<CN=ps, OU=JurgenAgten, O=KUL, L=Leuven, C=BE>
I have a cert from this CA: <CN=realAnonym>
With this cert, I want to make a SSL connection to some server with client authentication.
<CN=ps, OU=JurgenAgten, O=KUL, L=Leuven, C=BE> is included in the cacerts-file of the server.
<CN=ps, OU=JurgenAgten, O=KUL, L=Leuven, C=BE> (Part of trusted CA's) in my opinion match with <CN=ps, OU=JurgenAgten, O=KUL, L=Leuven, C=BE> (second certificate in certificatechain of <CN=realAnonym>).
But it doesn't ???
execute the server with -Djavax.net.debug=ssl,handshake gives:
.......
<CN=GeoTrust Global CA, O=GeoTrust Inc., C=US>
<CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited,
OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net>
<CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US>
<OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
>
<CN=VeriSign Class 1 Public Primary Certification Authority - G3, OU="(c) 1999 V
eriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign
, Inc.", C=US>
<CN=ps, OU=JurgenAgten, O=KUL, L=Leuven, C=BE> (Part of trusted CA's)
<OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.",
C=US>
<OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use onl
y", OU=Class 1 Public Primary Certification Authority - G2, O="VeriSign, Inc.",
C=US>
*** ServerHelloDone
main, WRITE: TLSv1 Handshake, length = 7383
main, READ: TLSv1 Handshake, length = 3784
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=realAnonym (client certificate)
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: Sun RSA public key, 1024 bits
modulus: 127355714484211456591612779667470666909980708602501730899657524388577
49850208930275081977822300971032883864332221450883863390126466833031349667099122
38288059447802849568096837640845268449147677304455823253593898716430967402259872
25271396467992796337646786345774935629264123070013042903682567551911526037603651
public exponent: 65537
Validity: [From: Fri Nov 18 00:00:00 CET 2005,
To: Fri Nov 03 12:04:28 CET 2006]
Issuer: C=BE, L=Leuven, O=KUL, OU=JurgenAgten, CN=ps (Clent certificate issuer)
SerialNumber: [ 0107a404 7764]
Certificate Extensions: 3
[1]: ObjectId: 2.1.2.3.102 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 02 31 00 ..1.
[2]: ObjectId: 2.1.2.3.101 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 1D 31 1B 30 19 13 02 4C 64 02 02 03 E8 13 06 ..1.0...Ld......
0010: 61 7A 65 72 74 79 13 07 41 72 62 69 74 65 72 azerty..Arbiter
[3]: ObjectId: 2.1.2.3.100 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 82 09 F7 30 82 09 F3 03 82 09 6B 00 AC ED 00 ....0......k....
0010: 05 73 72 00 19 6A 61 76 61 78 2E 63 72 79 70 74 .sr..javax.crypt
0020: 6F 2E 53 65 61 6C 65 64 4F 62 6A 65 63 74 3E 36 o.SealedObject>6
0030: 3D A6 C3 B7 54 70 02 00 04 5B 00 0D 65 6E 63 6F =...Tp...[..enco
0040: 64 65 64 50 61 72 61 6D 73 74 00 02 5B 42 5B 00 dedParamst..[B[. .
.....
09D0: C8 18 22 75 E9 23 56 96 9E 7E 71 C5 7B 6B 95 5B .."u.#V...q..k.[
09E0: DF AB 6D 0A 39 0C E3 74 F1 BA 5A 9C 50 76 0B 3E ..m.9..t..Z.Pv.>
09F0: 13 79 20 2E B5 B1 FC 83 76 97 A2 .y .....v..
]
Algorithm: [MD5withRSA]
Signature:
0000: 78 DC AF 04 6F D9 F2 54 6A 5D CB 99 4E 45 90 25 x...o..Tj]..NE.%
0010: 8D 4B 24 17 BF BB B9 1D AB 1D 7C EF 3D F5 01 9C .K$.........=...
0020: 49 9C 81 CC 64 0C F4 38 37 F5 BB CF 28 F7 FB 2F I...d..87...(../
0030: 5E 91 21 E3 A1 B0 92 90 F7 DC 92 F6 A8 6C E3 78 ^.!..........l.x
0040: 36 B7 36 B8 05 6B 17 8D C8 CF AF D2 9B F6 89 B2 6.6..k..........
0050: 5B 20 E4 14 0B 98 1C 50 69 FC CC C1 6F 6C F0 EA [ .....Pi...ol..
0060: 63 1E 64 71 BA 41 3D B6 23 7A 72 91 01 B4 B2 23 c.dq.A=.#zr....#
0070: 40 2D 62 48 E0 84 0E FA D7 EF E1 9C F5 92 DF 42 @-bH...........B
]
chain [1] = [
[
Version: V1
Subject: CN=ps, OU=JurgenAgten, O=KUL, L=Leuven, C=BE (Client certificatechain[1] the CA)
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: Sun RSA public key, 1024 bits
modulus: 117566584630083419996551735329369567910739541932314407531248741596590
25394436071793849489119529408325801928292164157908793562030900052755912331352764
88920380150146179015561996002426862508085279249965768014151302583170908492349232
49673303864165396475282399840755746956422674084689146502252850565325504345529883
public exponent: 65537
Validity: [From: Fri Nov 18 16:31:50 CET 2005,
To: Thu Feb 16 16:31:50 CET 2006]
Issuer: CN=ps, OU=JurgenAgten, O=KUL, L=Leuven, C=BE (is self-signed)
SerialNumber: [ 437df3e6]
]
Algorithm: [MD5withRSA]
Signature:
0000: A5 0B D2 F7 C9 4A BF E5 00 C2 42 50 DF EB 33 A6 .....J....BP..3.
0010: DB 1A 7F C5 38 DE 4A FA 23 09 5C 09 5D 68 73 CD ....8.J.#.\.]hs.
0020: 72 B7 A4 9A 50 30 ED BE 35 28 6D 19 21 77 B6 32 r...P0..5(m.!w.2
0030: FE 83 22 CE EF 7F F4 3E 6E 52 B0 E9 9D 14 EA 48 .."....>nR.....H
0040: A4 0B DC 41 C2 86 D4 48 6A AD 49 46 84 10 FA 69 ...A...Hj.IF...i
0050: 7D C6 81 0C AF BA 88 D5 C1 30 BA 1A 5A E5 D3 24 .........0..Z..$
0060: 0A 3E 15 5A B5 99 A8 B2 32 80 85 D4 72 3F F4 60 .>.Z....2...r?.`
0070: 18 BA 11 3A 91 35 D9 F9 CA D3 C9 AE 2F 3E 39 E1 ...:.5....../>9.
]
***
main, SEND TLSv1 ALERT: fatal, description = certificate_unknown
main, WRITE: TLSv1 Alert, length = 2
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
main, IOException in getSession(): javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors