Menu
▾
▴
Re: [Htmlunit-user] htmlunit and entrus pki certificate
|
From: David D.K. <ddk...@ki...> - 2005-01-27 15:10:26
|
There are four basic items that must hold true for Java to trust a secure (https/SSL) web site: 1. The certificate must NOT be expired. 2. The certificate's "common name" must match the hostname of the web site being accessed. 3. The hostname must resolve properly in DNS (either via local hosts/lmhosts file or via DNS service). 4. A chain of trust must be established between the certificate used for the web site and the trusted certificates in the $JAVA_HOME/lib/security/cacerts file (where $JAVA_HOME is the installation directory for your JVM). There are work-arounds for each of the above items in Java (item #3's work-around is adding an entry to /etc/hosts or the equivalent), but it's easiest just to generate a self-signed certificate with correct information for items #1 and #2, then add the self-signed certificate to the "cacerts" file mentioned above. This will cause the JVM to trust the self-signed certificate for SSL connections, which should resolve your issue. Extracting the certificate in a compatible format and importing it into the cacerts file is left as an exercise for the reader. You will need to use the "keytool" command (it comes with the JVM; see link below for documentation) to import the certificate into the "cacerts" file, although I would STRONGLY recommend making a backup copy of the "cacerts" file first. http://java.sun.com/j2se/1.4.2/docs/tooldocs/solaris/keytool.html If keytool won't recognize the certificate in whatever format you currently have it in, you will probably want to use the "openssl" tool to convert it to the "DER" format (which keytool likes). http://www.openssl.org/ Windows users may get openssl through Cygwin, or there is a stand-alone binary available on the second web site listed below: http://www.cygwin.com/ http://hunter.campbus.com/ Hope that helps! Dave On Jan 26, 2005, at 7:42 AM, Muri Josef (KCDA 11) wrote: > Hi everyone, > > I tried to run my htmlunit tests over an https url. The application > needs a login via an Entrust Pki certificate. > I configured my java environment for jsse (sdk 1.4.2) as described on > the homepage but when i run the tests i get > an Exception. See console: > [...] > *** > main, SEND SSLv3 ALERT: fatal, description = certificate_unknown > main, WRITE: SSLv3 Alert, length = 2 > main, called closeSocket() > main, handling exception: javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: No trusted certificate > found > main, called close() > main, called closeInternal(true) > > I can see the name of the certificate in the log but it seems not to > work.. > Any idea? > > Thanks for the input. > -Josef |
