On Wed, Jun 2, 2010 at 5:46 PM, Jeffrey Baker <jwbaker@gmail.com> wrote:
> I was interested in this[1] work on SSL client certs for JDBC, but I
> see the author stopped working on your project. I hope the list can
> give me a quick clue, because i've been banging my head against this
> all day.
Just to update the list, I did figure this out. Turns out I hadn't
imported my private key into the keystore file. Which, in turn, is a
ridiculous pain in the butt because keytool can only deal with private
keys it generated, or those in PKCS#12 files, and in fact only in
PKCS#12 files protected with passwords. Furthermore once the key is
in the keystore it must also have a password there (keystore password
as well as key password) or the implementation will refuse to use it!
# openssl pkcs12 -export -out client.pkcs12 -in client.cert -inkey client.key
# keytool -importkeystore -deststorepass changeit -destkeystore
client.jks -srckeystore client.pkcs12 -srcstorepass changeit
-srcstoretype PKCS12 -alias 1 -destkeypass changeit
and
$ java -Djavax.net.ssl.keyStore=./client.jks
-Djavax.net.ssl.keyStorePassword=changeit
-Djavax.net.ssl.trustStore=./truststore
Given all that, it works!
-jwb