• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2725
  • Last Modified:

SSL certificate issue - javax.net.ssl.SSLHandshakeException: No trusted certificate found

I have been having a SSL Handshake issue on a Two way communication with the external server.
I'm invoking an external webservice call using Axis. My client application is running in WebLogic 8.1
The vendor has provided me with a PFX file with a passphrase which contains a key and a chain of certificates.
There is a scenario where it works. I load both keystore and a truststore during the start up of my weblogic. If I use the PFX file as my keystore and remove the truststore I'm able to establish a Handshake with the server.
However I already have a keystore and a truststore that loads at start up and removing them will impact other components of the application.
I tried to extract the keys and the certificates and import them to my already existing keystore and truststore. It will not work. Do you know what could be going wrong. Can someone please help me out on this.

below is the relevant part of the exception I keep getting...
	{http://xml.apache.org/axis/}stackTrace:javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
	at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA12275)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
	at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
	at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
	at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA12275)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA12275)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA12275)
	at org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:186)
	at org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:191)

Open in new window

1 Solution
What does not work with importing the certs into your existing keystores?

Have a look at http://stackoverflow.com/questions/2196740/weblogic-8-1-two-way-ssl-authentication-on-a-web-app-full-example for a detailed step-by-step guide.
I suspect the issue is that when you are extracting it you are giving it a .crt extension, which is incorrect as it contains both the public and the private key. Try giving the exported file a .p12 extension, then try immporting that file to your keystore.
swapna84Author Commented:
Here is what I did. I first converted the pfx file to .pem and then exported the key and the certs to a .p12 file. Then I imported both the key and the certs to the truststore.
openssl pkcs12 -in mypfxfile.pfx -out mypemfile.pem
openssl pkcs12 -export -in mypemfile.pem -out mykeystore.p12 -name "MyCert"

keytool -importkeystore -importkeystore -srckeystore clientcert.p12 -destkeystore clientcert.jks -srcstoretype pkcs12 -deststoretype JKS

removing the truststore and replacing this with the vendor provided keystore at the application seems to work without any issue.
just adding these three lines in my code
System.setProperty("javax.net.ssl.keyStore", "mypfxfile.pfx ");
System.setProperty("javax.net.ssl.keyStorePassword", "password");
System.setProperty("javax.net.ssl.keyStoreType", "PKCS12");

openssl pkcs12 -export -in mypemfile.pem -out mykeystore.p12 -name "MyCert"

keytool -importkeystore -importkeystore -srckeystore clientcert.p12 -destkeystore clientcert.jks -srcstoretype pkcs12 -deststoretype JKS

Open in new window

You create an outfile mykeystore.p12 but import from clientcert.p12.  If this is actually what you did then the problem is your srckeystore needs to be mykeystore.p12
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now