This section provides a tutorial example on how to make a self-signed certificate trusted during a SSL socket communication.
One way to resolve the self-signed certificate problem shown in the previous section,
is to pre-install the server's public key on the client machine and define it as a trusted certificate:
On the server side, export my public key out as a certificate.
One the client side, import the server's public key into a key store file.
Run the SSL client program with the key store file as trusted. This can
be done by using "-Djavax.net.ssl.trustStore=myKeyStore.jks" as java option.
Here is what I did on the server side:
>\jdk\bin\keytool -export -keystore herong.jks -alias my_home
-file my_home.crt
Enter keystore password: HerongJKS
Certificate stored in file <my_home.crt>
>"send my_home.crt to the client machine..."
Here is what I did on the client side:
>"receive my_home.crt from the server machine..."
>\jdk\bin\keytool -import -keystore public.jks -alias herong_home
-file my_home.crt
Enter keystore password: PublicJKS
Owner: CN=Herong Yang, OU=My unit, O=My home, L=My city, ST=My sta...
Issuer: CN=Herong Yang, OU=My unit, O=My home, L=My city, ST=My st...
Serial number: 42266fba
Valid from: Sat Jan 01 21:00:26 EST 2005 until: Tue May 31 22:00:2...
Certificate fingerprints:
MD5: 55:2C:5B:49:47:CB:61:40:FD:1A:3C:B7:16:6C:8E:7E
SHA1: EC:B6:77:A1:21:9F:7E:AE:AF:B0:7C:AC:C5:B7:24:B7:45:...
Trust this certificate? [no]: y
Certificate was added to keystore
Now run SslReverseEchoer.java again. Then run SslSocketClient with public.jks:
>\jdk\bin\java -cp . "-Djavax.net.ssl.trustStore=public.jks"
SslSocketClient
Socket class: class com.sun.net.ssl.internal.ssl.SSLSocketImpl
Remote address = localhost/127.0.0.1
Remote port = 8888
Local socket address = /127.0.0.1:2187
Local address = /127.0.0.1
Local port = 2187
Need client authentication = false
Cipher suite = TLS_DHE_DSS_WITH_AES_128_CBC_SHA
Protocol = TLSv1
Welcome to SSL Reverse Echo Server. Please type in some words.
Hello world!
!dlrow olleH
It works!
!skrow tI
.
Congratulations! We have successfully used JSSE to create a SSL socket
communication.
Note that:
Even I specified SSL when constructing the SSLContext object, the
final protocol used in the communication is TLSv1. I don't know why.
