Hi Rahul, Good explanation.. keep up the good wrok. I have a question here, I have p12 file as well .cer file and I have configured .cer in trustore and p12 as keystore, but yet i am getting unable to find certificate issue..
Thanks for your feedback, Your steps look correct, please check if in the certificate chain any intermediate certs are used then add that as well, also make sure that you are adding to the correct lib/security Sometimes people add cert to jdk but use jre at runtime, sometimes there are multiple jdk or jre and certs are added to one version but a different version is used by code. Also sometimes the keystore type does not match with the JDK version, like JDK8 does not support p12 generated by openssl v2
Hi Rahul, I have added Root & Intermediate cert to truststore & have my client cert in p12 format . I am getting java.security.cert.CertificateParsingException: java.io.IOException: Sequence tag error - Can u please let me know what is the root cause for this ?
Such errors are sometimes due to bug in java as well, see this link "problem conclusion" section www.ibm.com/support/pages/apar/IJ22037 Try changing JDK and then rerun
Hi Rahul, Very well explained but I have a scenario that works in Postman and am trying to automate it using Rest assured. There is Host along with cert and key file which I have converted into PKCS12 format and imported into truststore file. So, I need to send cert file along with Host to get the Token. but am getting forbidden error, can you please help on to resolve this issue.
Hello Rahul, I am trying to resolve SSL handshake exception as well. I have received the certificate for resolving this, which is a .der file. Do I need to create both keystore and truststore for this? Can you please guide?
To resolve ssl handshake exception you will require certificate (.der) and key file, Ask the team that gave you certificate file to provide key file as well. You can then create p12 using certificate and key and then use it as keystore. If you get PKIX Exception as well then you will require a truststore and will have to import root/intermediate cert in it.
To save time You can verify your files by using postman as well, I created this step by step video for that as well ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-JowHJgBe8Mo.html
Hi, how are you? congratulations on the video... I did the same steps as you, but I'm having the problem: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. I found your channel because I'm having an error in java which is a Mutual Authentication via certificate exchange failing in Java: SSLHandshakeException: Remote host terminated the handshake. Basically java is not sending my .p12 file... I've done everything (this is not a joke) and I can't solve this problem... I even have an issue on stackoverflow... do you think you could help me? cheers!
Sometimes there are multiple certificates in the chain and they all need to be imported, also make sure you test it via postman to make sure that certificate is valid and works
@@rahulrandomlearnings hello, thank you for answering... insomnia, postman and node.js works... i've taken the whole chain and imported it... it's very strange... can i share the stackoverflow issue with you?
@@rahulrandomlearnings Well, to cut a long story short, we already do this in production, we have a .p12 that is sent in the requests. The server just imported one of our certificates at the time. What's happening now is that someone from my team is responsible for sending the certificate to the people on the api server that we're trying to consume with java, he just dismembered the production .p12 and passed the .crt to them. Do you think this step was wrong? Well, the difference in working in the other tools is disabling the certificate check, but I've already done several things and I'm extremely tired because it's been taking my nights off...
well, for some reason youtube is deleting my comments when i share the stackoverflow link... is there another way i can share it with you? i'll add you on linkedin, what do you think?
for proxy config please have a look at this answer, hope this should help resolve the issue stackoverflow.com/questions/45180447/rest-assured-proxy-setting-issue-java-net-connectexception-connection-timed-ou
Hi Rahul, Awesome video!!! I created a PCKS12 keystore and on running the it I am error: Exception in thread "main" javaioIOException: parseAlgParameters failed: ObjectIdentifier() -- data isn't an object ID (tag = 48) I googled a little and this might be due to I running Java 1.8.0_301. I changed the keystore to JKS and ran it and I am seeing connection timeout error: Exception in thread "main" javanetConnectException: Connection timed out: connect Can you please help me?
Hi, apologies for delay, somehow your comment was blocked by RU-vid for review so I only saw it now, you are correct about using PKCS12 on java 8, The pbes2 cipher that PKCS12 uses is not properly implemented in 8u31. The second one should have worked but connection error means that client cert was not properly imported, I will do a test run on my pc and will let you know
Hi, this looks like a issue in code that reads truststores in a few specific oracle jdk versions. These are the steps I followed: I went to oracle site for downloading JDK 8: www.oracle.com/java/technologies/javase/javase8u211-later-archive-downloads.html Then I downloaded these three Oracle jdks: jdk-8u211-windows-x64.exe jdk-8u291-windows-x64.exe jdk-8u301-windows-x64.exe keytool command: keytool -list -ketstore truststore -storetype PKCS12 when running keytool command from jdk-8u211-windows-x64.exe and jdk-8u291-windows-x64.exe on PKCS12 truststore I got this error "data isn't an object ID (tag = 48)". when running keytool command from jdk-8u301-windows-x64.exe on PKCS12 truststore everything worked fine (commandline and code). Then I downloaded JDK from openJDK version : OpenJDK8U-jdk_x64_windows_hotspot_8u332b09.zip when running keytool command from OpenJDK8u332b09 on PKCS12 truststore I got this error "Algorithm HmacPBESHA256 not available". I tried creating a new truststore and importing root and intermediate certs using both the JDK's but Keytool and Restassured kept on giving errors. When going through this exercise I also noticed that these errors were at truststore level and not keystore/client_cert.p12 level. So to verify this analysis I wrote a program using HttpsURLConnection and SSLSocketFactory to ignore SSL validation errors and just inject the client certificate p12 and that code worked every time on all JDK's. So we can conclude that some JDK versions are unable to handle truststore containing root cert, but all of them are able to inject client certificate store correctly. This is the code that I used to verify the same: import org.junit.Test; import javax.net.ssl.HttpsURLConnection; import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLSocketFactory; import java.io.BufferedReader; import java.io.FileInputStream; import java.io.InputStreamReader; import java.net.URL; import java.security.KeyStore; import static org.junit.Assert.assertEquals; public class KeyStoreVerificationTest { @Test public void should_inject_clientcert_and_return_200_after_ignoring_truststore() throws Exception { KeyStore keyStore = KeyStore.getInstance("pkcs12"); String keyStorePassword = "badssl.com"; keyStore.load(new FileInputStream("badssl.com-client.p12"), keyStorePassword.toCharArray()); KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); kmf.init(keyStore, keyStorePassword.toCharArray()); SSLContext ctx = SSLContext.getInstance("TLS"); ctx.init(kmf.getKeyManagers(), null, null); SSLSocketFactory sslSocketFactory = ctx.getSocketFactory(); URL url = new URL("client.badssl.com/"); HttpsURLConnection connection = (HttpsURLConnection) url.openConnection(); connection.setSSLSocketFactory(sslSocketFactory); BufferedReader br = new BufferedReader(new InputStreamReader((connection.getInputStream()))); StringBuilder sb = new StringBuilder(); String output; while ((output = br.readLine()) != null) { sb.append(output); } assertEquals(200, connection.getResponseCode()); System.out.println(sb); } }
@@AhmedKhaled-he9mf was the issue resolved ?, if it is still an issue then let me know what java version are you using, I will try to reproduce the error on my machine
Hi Rahul, Thank you for the brilliant explanation. I need help with the following scenario, I have to get a JWT from an endpoint which requires a CA cert( in pem format) and one client certificate (which is in pfx format) .This scenario is working fine in postman but could you please advise on how we can do this is rest assured ,should we convert the pfx file into p12? or is there an better approach. Waiting for your response
Please have a look at this video, ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-OrZpBRvJZQ8.html You can import the root cert in cacerts or create your own truststore using keytool -import - file ca.pem -storetype PKCS12 -keystore truststore Pfx format is not an issue it will still use PKCS12 as store type
Just for my understanding the CA ceritifacte is the root one and the .pfx is client one right? sorry I am asking too many questions as I have no idea about SSL
Hi Rahul, your videos really easy to understand the complex topic. Can you help on below point: My customer given p12 file to connect to his secure API (means security enabled at his server end) and need to pass digest token while sending json payload in request. Can you suggest me how to implement this? I am getting 500 error while testing through postman API? Any support on this?
Thank you for your feedback :) based on my understanding, digest token concept is basically instead of passing username and password as Base64 encoded (which we do in basic auth.), you pass the values through an algorithm like md5 and then set the result in header. assuming the creator of the API gave you all the required values you can have a look at this StackOverflow entry scroll to the second answer, it has a few screenshots that might help you: stackoverflow.com/questions/9534602/what-is-the-difference-between-digest-and-basic-authentication