Java Keystore Problem: Trustore with Subject CN is Not Ca Certificate

Java Keystore Problem: Trustore with Subject CN is Not Ca Certificate

  10:06 PM    Dexter

---

Detailed Step by Step instructions I followed to achieve this

 SSource : StackOverflow =>
Vipul

• Download bouncycastle JAR from http://repo2.maven.org/maven2/org/bouncycastle/bcprov-ext-jdk15on/1.46/bcprov-ext-jdk15on-1.46.jar or take it from the "doc" folder.
• Configure BouncyCastle for PC using one of the below methods.
  • Adding the BC Provider Statically (Recommended)
    • Copy the bcprov-ext-jdk15on-1.46.jar to each
      • D:\tools\jdk1.5.0_09\jre\lib\ext (JDK (bundled JRE)
      • D:\tools\jre1.5.0_09\lib\ext (JRE)
      • C:\ (location to be used in env variable)
    • Modify the java.security file under
      • D:\tools\jdk1.5.0_09\jre\lib\security
      • D:\tools\jre1.5.0_09\lib\security
      • and add the following entry
        • security.provider.7=org.bouncycastle.jce.provider.BouncyCastleProvider
    • Add the following environment variable in "User Variables" section
      • CLASSPATH=%CLASSPATH%;c:\bcprov-ext-jdk15on-1.46.jar
  • Add bcprov-ext-jdk15on-1.46.jar to CLASSPATH of your project and Add the following line in your code
    • Security.addProvider(new BouncyCastleProvider());
• Generate the Keystore using Bouncy Castle
  • Run the following command
    • keytool -genkey -alias myproject -keystore C:/myproject.keystore -storepass myproject -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider
  • This generates the file C:\myproject.keystore
  • Run the following command to check if it is properly generated or not
    • keytool -list -keystore C:\myproject.keystore -storetype BKS
• Configure BouncyCastle for TOMCAT
  
  • Open D:\tools\apache-tomcat-6.0.35\conf\server.xml and add the following entry
    
    • <Connector port="8443" keystorePass="myproject" alias="myproject" keystore="c:/myproject.keystore" keystoreType="BKS" SSLEnabled="true" clientAuth="false" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS" sslImplementationName="org.bouncycastle.jce.provider.BouncyCastleProvider"/>
  • Restart the server after these changes.
• Configure BouncyCastle for Android Client
  • No need to configure since Android supports Bouncy Castle Version 1.46 internally in the provided "android.jar".
  • Just implement your version of HTTP Client (MyHttpClient.java can be found below) and set the following in code
    • SSLSocketFactory.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
  • If you don't do this, it gives an exception as below
    • javax.net.ssl.SSLException: hostname in certificate didn't match: <192.168.104.66> !=
  • In production mode, change the above code to
    • SSLSocketFactory.setHostnameVerifier(SSLSocketFactory.STRICT_HOSTNAME_VERIFIER);