SSL certificate issue - javax.net.ssl.SSLHandshakeException: No trusted certificate found

Hello,
I have been having a SSL Handshake issue on a Two way communication with the external server.
I'm invoking an external webservice call using Axis. My client application is running in WebLogic 8.1
The vendor has provided me with a PFX file with a passphrase which contains a key and a chain of certificates.
There is a scenario where it works. I load both keystore and a truststore during the start up of my weblogic. If I use the PFX file as my keystore and remove the truststore I'm able to establish a Handshake with the server.
However I already have a keystore and a truststore that loads at start up and removing them will impact other components of the application.
I tried to extract the keys and the certificates and import them to my already existing keystore and truststore. It will not work. Do you know what could be going wrong. Can someone please help me out on this.

below is the relevant part of the exception I keep getting...
 
faultDetail: 
	{http://xml.apache.org/axis/}stackTrace:javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
	at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA12275)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
	at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
	at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
	at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA12275)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA12275)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA12275)
	at org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:186)
	at org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:191)

Open in new window

swapna84Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sweetfa2Commented:
What does not work with importing the certs into your existing keystores?

Have a look at http://stackoverflow.com/questions/2196740/weblogic-8-1-two-way-ssl-authentication-on-a-web-app-full-example for a detailed step-by-step guide.
0
colr__Commented:
I suspect the issue is that when you are extracting it you are giving it a .crt extension, which is incorrect as it contains both the public and the private key. Try giving the exported file a .p12 extension, then try immporting that file to your keystore.
0
swapna84Author Commented:
Hi,
Here is what I did. I first converted the pfx file to .pem and then exported the key and the certs to a .p12 file. Then I imported both the key and the certs to the truststore.
openssl pkcs12 -in mypfxfile.pfx -out mypemfile.pem
openssl pkcs12 -export -in mypemfile.pem -out mykeystore.p12 -name "MyCert"

keytool -importkeystore -importkeystore -srckeystore clientcert.p12 -destkeystore clientcert.jks -srcstoretype pkcs12 -deststoretype JKS

removing the truststore and replacing this with the vendor provided keystore at the application seems to work without any issue.
just adding these three lines in my code
System.setProperty("javax.net.ssl.keyStore", "mypfxfile.pfx ");
System.setProperty("javax.net.ssl.keyStorePassword", "password");
System.setProperty("javax.net.ssl.keyStoreType", "PKCS12");

0
sweetfa2Commented:
openssl pkcs12 -export -in mypemfile.pem -out mykeystore.p12 -name "MyCert"

keytool -importkeystore -importkeystore -srckeystore clientcert.p12 -destkeystore clientcert.jks -srcstoretype pkcs12 -deststoretype JKS

Open in new window


You create an outfile mykeystore.p12 but import from clientcert.p12.  If this is actually what you did then the problem is your srckeystore needs to be mykeystore.p12
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
TolomirAdministratorCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Encryption

From novice to tech pro — start learning today.