SSL using certificates retrieved with Sun MSCAPI provider
843811May 10 2007 — edited Jun 20 2010We are having a problem with establishing a mutually (client) authenticated SSL connection between Java clients and a server. The aspect of our solution that differs from much of the information we can find on Java and SSL connections is that we are using certificates that are in the Microsoft certificate store and retrieved using the Sun MSCAPI provider.
We have written a custom KeyManager and a custom TrustManager, each of which use certificates out of the Microsoft certificate store (again, accessed using Sun MSCAPI provider) rather than certificates in a JKS. All of the certificates we are using are part of a PKI (not self-signed).
We are successfully using the certificates in other cryptographic operations in Java, such as creating and verifying digital signatures, using normal java.security classes. Although the error messages I will post below may seem to indicate that there is an issue with the certificate ("bad certificate" - see below), I really don't think it is a problem with the certificates as we are using them in many other places successfully - both in Java and COTS applications...we are only having a problem with Java SSL. The certificate chain that we create in the KeyManager includes all certs in the chain from the certificate to it's root (root is last in the array).
We have tried connecting the Java client to a variety of servers, including a simple java server, and all seem to have the same problem with it not being able to create a mutually authenticated ssl connection. When we disable client authentication on the servers (ss.setNeedClientAuth(false) in the simple java one), a server-side SSL connection is successfully established (not an option for our application - just fyi).
The error on the server side from our simple java server is:
*** CertificateVerify
Thread-0, SEND TLSv1 ALERT: fatal, description = bad_certificate
Thread-0, WRITE: TLSv1 Alert, length = 2
Thread-0, called closeSocket()
Thread-0, handling exception: javax.net.ssl.SSLHandshakeException: certificate verify message signature error
The error on the client side is:
***
[write] MD5 and SHA1 hashes: len = 16
0000: 14 00 00 0C 11 B4 2E 49 05 CF AA D1 3E 20 10 B5 .......I....> ..
main, WRITE: TLSv1 Handshake, length = 32
main, READ: TLSv1 Alert, length = 2
main, RECV TLSv1 ALERT: fatal, bad_certificate
Does anyone have any experience with using certificates retrieved via the MS CAPI provider in SSL connections or any suggestions as to how to fix this problem? Is there something that needs to be set different from the default for the SSL context? We have tried changing the default settings, but haven't found a configuration that makes it work.
Thanks for any help.