0

we are getting some Probllem and Handshake errors when we are trying to connect Web Service. I will try to describe the Problem Any help would be greatly appreciated.

We imported the certificate (Added Certificate: CN=Data License SubCA) in Java TrustStore, but unfortunately when we want to use it(through our Java-Code), another Root certificate -> RootCA(CN=DigiCert High ) is sent to Webservice. That's why we keep getting handshake errors.

If we use this certificate alone as Default TrustStore, it works because its the only certificate there. But we want to add it to JDK Default TrustStore so we can use our other certificates also.

So what we already done is, imported this specific certificate to default Java-TrustStore, so that it works with other certificates also.

Steps that I already made are:

  1.     Exported P12 from Provider-certifcate as a CRT to import into TrustStore:

keytool -exportcert -keystore ~/local/ssl/XXCert.p12 -storetype PKCS12 -storepass ourpassword -alias 220220210652062728 -file /opt/ac/common/xxx/home/XXXCert2.crt

  1.     Imported into default keystore. We will then use custom cacerts

keytool -import -trustcacerts -alias 220220210652062728 -file /opt/ac/common/xx/home/XXXCert2.crt -keystore /opt/ac/common/xxx/local/java/jdk1.8.0_341/jre/lib/security/cacerts

As soon we start the Server, we can see that the certficate is added:

22-09-01 17:18:00,776 ERROR ( 47144512) [stderr] (EJB default - 68) javax.net.ssl|FINE|07 1D|EJB default - 68|2022-09-01 17:18:00.775 CEST|X509TrustManagerImp
l.java:78|adding as trusted certificates (
22-09-01 17:18:00,776 ERROR ( 47144512) [stderr] (EJB default - 68)   "certificate" : {
22-09-01 17:18:00,776 ERROR ( 47144512) [stderr] (EJB default - 68)     "version"            : "v3",
22-09-01 17:18:00,776 ERROR ( 47144512) [stderr] (EJB default - 68)     "serial number"      : "4C 00  00 00 00 1E 5F 00",
22-09-01 17:18:00,776 ERROR ( 47144512) [stderr] (EJB default - 68)     "signature algorithm": "SHA256withRSA",
22-09-01 17:18:00,776 ERROR ( 47144512) [stderr] (EJB default - 68)     "issuer"             : "CN=Data License SubCA",
...

As soon as we try to send the request, this happens:

22-09-01 17:18:01,713 ERROR ( 47144512) [stderr] (EJB default - 68) javax.net.ssl|FINE|07 1D|EJB default - 68|2022-09-01 17:18:01.712 CEST|X509TrustManagerImp
l.java:237|Found trusted certificate (
22-09-01 17:18:01,713 ERROR ( 47144512) [stderr] (EJB default - 68)   "certificate" : {
22-09-01 17:18:01,713 ERROR ( 47144512) [stderr] (EJB default - 68)     "version"            : "v3",
22-09-01 17:18:01,713 ERROR ( 47144512) [stderr] (EJB default - 68)     "serial number"      : "02 26 6A 0B 40 9B AC 5C ",
22-09-01 17:18:01,713 ERROR ( 47144512) [stderr] (EJB default - 68)     "signature algorithm": "SHA1withRSA",
22-09-01 17:18:01,713 ERROR ( 47144512) [stderr] (EJB default - 68)     "issuer"             : "CN=DigiCert High Assurance EV Root

And than we get the Handshake-Error, because, originally "CN=Data License SubCA" should be sent, but "CN=DigiCert High Assurance EV Root". is sent

Provider certifiacte, which we added and can be found in TrustStore: CN=Data License SubCA

Its the Problem I think with RootCA and SubCA.

Thanks a lot. Regards

Improve this question
4
  • Seems to me like you mixed your keystore and truststore up. Does your server provide the webservice or connect to one? Usually the Client doesn't have to provide a certificate. Could you provide your configuration of the server where you set the "truststore"? Commented Oct 18, 2022 at 14:20
  • We got the certificate from WebService-Provider(XXXCert.p12) in p12 format. I changed into crt and imported in "cacerts". WebService Client call then automaticall choose the false certificate(RootCA) from "cacerts". Commented Oct 18, 2022 at 14:43
  • Is adding the root certificate where yours is derived from to your truststore an option? Commented Oct 18, 2022 at 14:57
  • No... we only have the file from provider with SubCA certificate. Commented Oct 18, 2022 at 15:35
Related questions
1
SSL handshaking problem in webservice with Java and Tomcat
1
Webservice certificate-related error
2
HANDSHAKE_FAILURE alert received
Load 7 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.