Java7 Refusing to trust certificate in trust store

Question

I\'ve a weird problem - a supplier uses TLS SSLv3 with both a self signed client and server certificate. This hasn\'t been a problem with Java1.5 and Java1.6 - simply import

Answer 1

I have also encountered this situation when dealing with JDK 1.7. If req command is invoked with the -x509 option, it's better to uncomment keyUsage line in v3_ca section and generate the CA again with(see http://wwwneu.secit.at/web/documentation/openssl/openssl_cnf.html)

openssl req -new -x509 -days 3650 -keyout ca.key -out ca.crt -config openssl.cnf -extensions v3_ca -batch

And if you use the generated CA certificate to sign other certificate make sure that you also uncomment the item basicConstraints = CA:true and set value to true

Answer 2

I actually had a somewhat similar issue, where a Tomcat application would trust the ca cert in the truststore when using Java 1.6 and reject it with java 1.7. After adding keyUsage to my ca certificate it works (after reading a bug report, JDK-7018897 : CertPath validation cannot handle self-signed cert with bad KeyUsage).

What I have done (Ubuntu 12.04 x64):

1. Edit /etc/ssl/openssl.cnf and uncomment keyUsage line in v3_ca section.

2. Generate new ca cert from old one with keyUsage included using the command:

   openssl x509 -in oldca.pem -clrext -signkey oldca.key -extfile /etc/ssl/openssl.cnf -extensions v3_ca -out newca.pem
   

3. Delete old CA key from truststore and insert the new one.

Answer 3

For some reasons Java 8 doesn't accept self-signed certificate even added to its cacerts store.

My workaround for that is to create a custom keystore :

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -subj "/C=MA/ST=ByExample/L=Test/O=Chapter3/OU=Org/CN=bip70.com" -nodes

keytool -import -keystore clientkeystore -file cert.der -alias bip70.com -storepass changeit

then using it in My IDE using as jvm argument: -Djavax.net.ssl.trustStore=clientkeystore