We Keep Coding

GCP client library not working - SSL peer shut down incorrectly

I have sample code to fetch regions from Google Cloud API. This sample code works fine from my laptop (windows with OpenJDK 1.8 version). But the same code fails from kubernetes environment which has suse linux with OpenJDK 1.8 version.
From Suse linux side I get :
Exception in thread "main" java.io.IOException: Error getting access token for service account: Remote host closed connection during handshake
at com.google.auth.oauth2.ServiceAccountCredentials.refreshAccessToken(ServiceAccountCredentials.java:444)
at com.google.auth.oauth2.OAuth2Credentials.refresh(OAuth2Credentials.java:157)
at com.google.auth.oauth2.OAuth2Credentials.getRequestMetadata(OAuth2Credentials.java:145)
at com.google.auth.oauth2.ServiceAccountCredentials.getRequestMetadata(ServiceAccountCredentials.java:603)
at com.google.auth.http.HttpCredentialsAdapter.initialize(HttpCredentialsAdapter.java:91)
at com.google.api.client.http.HttpRequestFactory.buildRequest(HttpRequestFactory.java:91)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.buildHttpRequest(AbstractGoogleClientRequest.java:404)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:514)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:455)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.execute(AbstractGoogleClientRequest.java:565)
at sample.program.gcp.vpvn.regionList(vpvn.java:85)
at sample.program.gcp.vpvn.main(vpvn.java:307)
Caused by: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:994)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1340)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1315)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:264)
at com.google.api.client.http.javanet.NetHttpRequest.execute(NetHttpRequest.java:113)
at com.google.api.client.http.javanet.NetHttpRequest.execute(NetHttpRequest.java:84)
at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:1012)
at com.google.auth.oauth2.ServiceAccountCredentials.refreshAccessToken(ServiceAccountCredentials.java:441)
... 11 more
Caused by: java.io.EOFException: SSL peer shut down incorrectly
at sun.security.ssl.InputRecord.read(InputRecord.java:505)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:975)
... 23 more
When I enable SSL debug, I am not getting much details to troubleshoot this issue:
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1616080171 bytes = { 119, 66, 219, 23, 171, 247, 221, 79, 45, 202, 181, 18, 229, 4, 65, 98, 207, 90, 0, 108, 43, 54, 80, 65, 39, 31, 49, 114 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
***
[write] MD5 and SHA1 hashes: len = 215
0000: 01 00 00 D3 03 03 60 53 6D 2B 77 42 DB 17 AB F7 ......`Sm+wB....
0010: DD 4F 2D CA B5 12 E5 04 41 62 CF 5A 00 6C 2B 36 .O-.....Ab.Z.l+6
0020: 50 41 27 1F 31 72 00 00 56 C0 24 C0 28 00 3D C0 PA'.1r..V.$.(.=.
0030: 26 C0 2A 00 6B 00 6A C0 0A C0 14 00 35 C0 05 C0 &.*.k.j.....5...
0040: 0F 00 39 00 38 C0 23 C0 27 00 3C C0 25 C0 29 00 ..9.8.#.'.<.%.).
0050: 67 00 40 C0 09 C0 13 00 2F C0 04 C0 0E 00 33 00 g.#...../.....3.
0060: 32 C0 2C C0 2B C0 30 00 9D C0 2E C0 32 00 9F 00 2.,.+.0.....2...
0070: A3 C0 2F 00 9C C0 2D C0 31 00 9E 00 A2 00 FF 01 ../...-.1.......
0080: 00 00 54 00 0A 00 08 00 06 00 17 00 18 00 19 00 ..T.............
0090: 0B 00 02 01 00 00 0D 00 1C 00 1A 06 03 06 01 05 ................
00A0: 03 05 01 04 03 04 01 04 02 03 03 03 01 03 02 02 ................
00B0: 03 02 01 02 02 00 17 00 00 00 00 00 1A 00 18 00 ................
00C0: 00 15 6F 61 75 74 68 32 2E 67 6F 6F 67 6C 65 61 ..oauth2.googlea
00D0: 70 69 73 2E 63 6F 6D pis.com
main, WRITE: TLSv1.2 Handshake, length = 215
[Raw write]: length = 220
0000: 16 03 03 00 D7 01 00 00 D3 03 03 60 53 6D 2B 77 ...........`Sm+w
0010: 42 DB 17 AB F7 DD 4F 2D CA B5 12 E5 04 41 62 CF B.....O-.....Ab.
0020: 5A 00 6C 2B 36 50 41 27 1F 31 72 00 00 56 C0 24 Z.l+6PA'.1r..V.$
0030: C0 28 00 3D C0 26 C0 2A 00 6B 00 6A C0 0A C0 14 .(.=.&.*.k.j....
0040: 00 35 C0 05 C0 0F 00 39 00 38 C0 23 C0 27 00 3C .5.....9.8.#.'.<
0050: C0 25 C0 29 00 67 00 40 C0 09 C0 13 00 2F C0 04 .%.).g.#...../..
0060: C0 0E 00 33 00 32 C0 2C C0 2B C0 30 00 9D C0 2E ...3.2.,.+.0....
0070: C0 32 00 9F 00 A3 C0 2F 00 9C C0 2D C0 31 00 9E .2...../...-.1..
0080: 00 A2 00 FF 01 00 00 54 00 0A 00 08 00 06 00 17 .......T........
0090: 00 18 00 19 00 0B 00 02 01 00 00 0D 00 1C 00 1A ................
00A0: 06 03 06 01 05 03 05 01 04 03 04 01 04 02 03 03 ................
00B0: 03 01 03 02 02 03 02 01 02 02 00 17 00 00 00 00 ................
00C0: 00 1A 00 18 00 00 15 6F 61 75 74 68 32 2E 67 6F .......oauth2.go
00D0: 6F 67 6C 65 61 70 69 73 2E 63 6F 6D ogleapis.com
main, received EOFException: error
main, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
main, SEND TLSv1.2 ALERT: fatal, description = handshake_failure
Any hints on how to troubleshoot this issue?
Here with my sample code:
public static void main(String args[]) throws GeneralSecurityException, IOException {
Compute computeService = createComputeService();
Compute.Regions.List request = computeService.regions().list("imageagg-nonprod");
System.out.println("the list of regions for the selected project is \n");
RegionList response;
do {
response = request.execute();
if (response.getItems() == null) {
continue;
}
request.setPageToken(response.getNextPageToken());
} while (response.getNextPageToken() != null);
ArrayList regionNames = new ArrayList<String>();
HashMap<String, ArrayList<String>> ZoneList = new HashMap<>();
response.getItems().forEach(region -> {
ArrayList<String> zones = new ArrayList<String>();
regionNames.add(region.getName());
region.getZones().forEach(zone -> {
zones.add(Paths.get(URI.create(zone).getPath()).getFileName().toString());
});
ZoneList.put(region.getName(), zones);
});
System.out.println("list of region for selected project is \n");
regionNames.forEach(element -> {
System.out.println(element);
});
System.out.println("the names of regions and Zones for the selected Project is \n");
Set entries = ZoneList.entrySet();
Iterator it = entries.iterator();
while (it.hasNext()) {
Map.Entry pair = (Map.Entry) it.next();
System.out.println(pair.getKey() + " = " + pair.getValue());
}
machineList(ZoneList);
}
public static Compute createComputeService() throws IOException, GeneralSecurityException {
HttpTransport httpTransport = GoogleNetHttpTransport.newTrustedTransport();
String proxyHostOpt = "web-proxy.in.software.net";
int proxyPort = 8080;
JsonFactory jsonFactory = JacksonFactory.getDefaultInstance();
HttpTransport abc = new NetHttpTransport.Builder().trustCertificates(GoogleUtils.getCertificateTrustStore())
.setProxy(new Proxy(Proxy.Type.HTTP, InetSocketAddress.createUnresolved(proxyHostOpt, proxyPort))).build();
//GoogleCredential credential = GoogleCredential.getApplicationDefault(abc,jsonFactory);
List<String> scopes = new ArrayList<>();
//scopes.add("https://www.googleapis.com/auth/cloud-platform");
String jsonToken = "{\n" + " \"type\": \"service_account\",\n" + " \"project_id\": \"imageagg-nonprod\",\n" + " \"private_key_id\": \"99c871d2855b4d9388cc7a3a670a5764deb8c5e9\",\n" + " \"private_key\": \"-----BEGIN PRIVATE KEY-----\\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDh9k2JcCFrDZfm\\ng9DONfKe8xATwljEsW8FXMbPzU5JoXXsy1CYgkeW+eqXguQxFZM3HuI1W+mGBxgE\\n/K2P7XvJxylv7NajpgNmm4KGIh4hOpi+Sn3GVS31ftGM5A/CYKhRpr5uskr5PEin\\nDYxl0hUnfTodJCT+uxPxoCeN8aWuq5s+BapKKB8KVduUqmz3f8GL2Pc5wlm/YyOK\\nJYC781MAzLIFe8cLAVUJrVETqOtFTPCjy0yMGiUKxkyL20C11WFwfdD5ou0SD+6U\\nsT1YD/15KYh9GvV1E2XIPGzVtSHvU9h7FDRqOa+05QP3uDHegrAAib4PHA/A7KPD\\nBwkA6sW/AgMBAAECggEAHCPBtS9vIfdP5uecfcmvHMdVRbiquFgGZOsQYTmGmdnP\\nJz2MnGmBA9a8tc=\\n-----END PRIVATE KEY-----\\n\",\n" + " \"client_email\": \"315654350484-compute#developer.gserviceaccount.com\",\n" + " \"client_id\": \"112960668\",\n" + " \"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\",\n" + " \"token_uri\": \"https://oauth2.googleapis.com/token\",\n" + " \"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\",\n" + " \"client_x509_cert_url\": \"https://www.googleapis.com/robot/v1/metadata/x509/315654350484-compute%40developer.gserviceaccount.com\"\n" + "}";
ObjectMapper objectMapper = new ObjectMapper();
Map<String, Object> map
= objectMapper.readValue(jsonToken, new TypeReference<Map<String,Object>>(){});
scopes.add(ComputeScopes.COMPUTE);
scopes.add(ComputeScopes.CLOUD_PLATFORM);
//scopes.add(ComputeScopes.DEVSTORAGE_FULL_CONTROL);
GoogleCredentials credentials = GoogleCredentials.fromStream(IOUtils.toInputStream(jsonToken, StandardCharsets.UTF_8)).createScoped(scopes);
ServiceAccountCredentials serviceAccountCredentials = ServiceAccountCredentials.fromStream(IOUtils.toInputStream(jsonToken, StandardCharsets.UTF_8));
HttpRequestInitializer requestInitializer = new HttpCredentialsAdapter(credentials);
// Making call with credentials1 created with json string and proxy set as per requirements
return new Compute.Builder(abc, jsonFactory, requestInitializer).setApplicationName("hcmx").build();
}
My java version details:
java -version
openjdk version "11" 2018-09-25
OpenJDK Runtime Environment 18.9 (build 11+28)
OpenJDK 64-Bit Server VM 18.9 (build 11+28, mixed mode)
Environment where code is running:
[root#hcm-pool-centos76-3 ~]# uname -a
Linux hcm-pool-centos76-3 3.10.0-1062.9.1.el7.x86_64 #1 SMP Fri Dec 6 15:49:49 UTC 2

Cannot route from a http request to a https request using the spring cloud gateway

I want to route all http requests to a https service using the spring cloud gateway but always receive a handshake_failure.
Routing everything to https://google.com for example works, but to my own service with its private certificate, created and signed by my own private CA, it does not, although I provided the matching truststore via -Djavax.net.ssl.trustStore and set useInsecureTrustManager: true. So what is wrong here?
My spring cloud gateway config:
server:
port: ${PORT:8081}
spring:
application:
name: gateway-service
cloud:
gateway:
httpclient:
ssl:
useInsecureTrustManager: true
routes:
- id: after_route
uri: https://my.server:2900/server/ping
predicates:
- After=2017-01-20T17:42:47.789-07:00[America/Denver]
And the log out put with -Djavax.net.debug=all:
2019-07-30 14:14:27.206 INFO 8257 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.cloud.autoconfigure.ConfigurationPropertiesRebinderAutoConfiguration' of type [org.springframework.cloud.autoconfigure.ConfigurationPropertiesRebinderAutoConfiguration$$EnhancerBySpringCGLIB$$ddc24342] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
. ____ _ __ _ _
/\\ / ___'_ __ _ _(_)_ __ __ _ \ \ \ \
( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
\\/ ___)| |_)| | | | | || (_| | ) ) ) )
' |____| .__|_| |_|_| |_\__, | / / / /
=========|_|==============|___/=/_/_/_/
:: Spring Boot :: (v2.1.6.RELEASE)
2019-07-30 14:14:27.315 INFO 8257 --- [ main] com.tobias.gateway.Gateway : No active profile set, falling back to default profiles: default
2019-07-30 14:14:27.704 INFO 8257 --- [ main] o.s.cloud.context.scope.GenericScope : BeanFactory id=90eb380c-f88b-3401-b688-6ef3ead8e5f1
2019-07-30 14:14:27.724 INFO 8257 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.cloud.autoconfigure.ConfigurationPropertiesRebinderAutoConfiguration' of type [org.springframework.cloud.autoconfigure.ConfigurationPropertiesRebinderAutoConfiguration$$EnhancerBySpringCGLIB$$ddc24342] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
javax.net.ssl|DEBUG|01|main|2019-07-30 14:14:27.950 CEST|SSLContextImpl.java:427|System property jdk.tls.client.cipherSuites is set to 'null'
javax.net.ssl|DEBUG|01|main|2019-07-30 14:14:27.953 CEST|SSLContextImpl.java:427|System property jdk.tls.server.cipherSuites is set to 'null'
javax.net.ssl|DEBUG|01|main|2019-07-30 14:14:27.974 CEST|SSLCipher.java:437|jdk.tls.keyLimits: entry = AES/GCM/NoPadding KeyUpdate 2^37. AES/GCM/NOPADDING:KEYUPDATE = 137438953472
javax.net.ssl|DEBUG|01|main|2019-07-30 14:14:27.984 CEST|SSLContextImpl.java:401|Ignore disabled cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|01|main|2019-07-30 14:14:27.984 CEST|SSLContextImpl.java:410|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
...
... Lots of other ignored cipher suites
...
javax.net.ssl|DEBUG|01|main|2019-07-30 14:14:28.009 CEST|TrustStoreManager.java:112|trustStore is: truststore.jks
trustStore type is: pkcs12
trustStore provider is:
the last modified time is: Wed Apr 10 10:36:03 CEST 2019
javax.net.ssl|DEBUG|01|main|2019-07-30 14:14:28.009 CEST|TrustStoreManager.java:311|Reload the trust store
javax.net.ssl|DEBUG|01|main|2019-07-30 14:14:28.022 CEST|TrustStoreManager.java:318|Reload trust certs
javax.net.ssl|DEBUG|01|main|2019-07-30 14:14:28.022 CEST|TrustStoreManager.java:323|Reloaded 1 trust certs
javax.net.ssl|DEBUG|01|main|2019-07-30 14:14:28.026 CEST|X509TrustManagerImpl.java:79|adding as trusted certificates (
"certificate" : {
"version" : "v3",
"serial number" : "00 E0 97 A2 3A FB A3 C1 44",
"signature algorithm": "SHA256withRSA",
"issuer" : "EMAILADDRESS=my#e.mail, CN=My Root Certificate Authority, OU=My OU, O=Me, L=Hamburg, ST=Hamburg, C=DE",
"not before" : "2018-10-05 13:38:39.000 CEST",
"not after" : "2023-10-04 13:38:39.000 CEST",
"subject" : "EMAILADDRESS=my#e.mail, CN=My Root Certificate Authority, OU=My OU, O=Me, L=Hamburg, ST=Hamburg, C=DE",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 87 FB AB 07 09 69 28 5C 53 05 29 49 44 B1 5C C7 .....i(\S.)ID.\.
0010: E2 A3 54 22 ..T"
]
]
},
{
ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
},
{
ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 87 FB AB 07 09 69 28 5C 53 05 29 49 44 B1 5C C7 .....i(\S.)ID.\.
0010: E2 A3 54 22 ..T"
]
]
}
]}
)
javax.net.ssl|ALL|01|main|2019-07-30 14:14:28.026 CEST|SSLContextImpl.java:115|trigger seeding of SecureRandom
javax.net.ssl|ALL|01|main|2019-07-30 14:14:28.026 CEST|SSLContextImpl.java:119|done seeding of SecureRandom
javax.net.ssl|DEBUG|01|main|2019-07-30 14:14:28.040 CEST|TrustStoreManager.java:112|trustStore is: truststore.jks
trustStore type is: pkcs12
trustStore provider is:
the last modified time is: Wed Apr 10 10:36:03 CEST 2019
javax.net.ssl|DEBUG|01|main|2019-07-30 14:14:28.041 CEST|X509TrustManagerImpl.java:79|adding as trusted certificates (
"certificate" : {
"version" : "v3",
"serial number" : "00 E0 97 A2 3A FB A3 C1 44",
"signature algorithm": "SHA256withRSA",
"issuer" : "EMAILADDRESS=my#e.mail, CN=My Root Certificate Authority, OU=My OU, O=Me, L=Hamburg, ST=Hamburg, C=DE",
"not before" : "2018-10-05 13:38:39.000 CEST",
"not after" : "2023-10-04 13:38:39.000 CEST",
"subject" : "EMAILADDRESS=my#e.mail, CN=My Root Certificate Authority, OU=My OU, O=Me, L=Hamburg, ST=Hamburg, C=DE",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 87 FB AB 07 09 69 28 5C 53 05 29 49 44 B1 5C C7 .....i(\S.)ID.\.
0010: E2 A3 54 22 ..T"
]
]
},
{
ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
},
{
ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 87 FB AB 07 09 69 28 5C 53 05 29 49 44 B1 5C C7 .....i(\S.)ID.\.
0010: E2 A3 54 22 ..T"
]
]
}
]}
)
javax.net.ssl|ALL|01|main|2019-07-30 14:14:28.041 CEST|SSLContextImpl.java:115|trigger seeding of SecureRandom
javax.net.ssl|ALL|01|main|2019-07-30 14:14:28.042 CEST|SSLContextImpl.java:119|done seeding of SecureRandom
javax.net.ssl|DEBUG|01|main|2019-07-30 14:14:28.048 CEST|TrustStoreManager.java:112|trustStore is: truststore.jks
trustStore type is: pkcs12
trustStore provider is:
the last modified time is: Wed Apr 10 10:36:03 CEST 2019
javax.net.ssl|DEBUG|01|main|2019-07-30 14:14:28.049 CEST|X509TrustManagerImpl.java:79|adding as trusted certificates (
"certificate" : {
"version" : "v3",
"serial number" : "00 E0 97 A2 3A FB A3 C1 44",
"signature algorithm": "SHA256withRSA",
"issuer" : "EMAILADDRESS=my#e.mail, CN=My Root Certificate Authority, OU=My OU, O=Me, L=Hamburg, ST=Hamburg, C=DE",
"not before" : "2018-10-05 13:38:39.000 CEST",
"not after" : "2023-10-04 13:38:39.000 CEST",
"subject" : "EMAILADDRESS=my#e.mail, CN=My Root Certificate Authority, OU=My OU, O=Me, L=Hamburg, ST=Hamburg, C=DE",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 87 FB AB 07 09 69 28 5C 53 05 29 49 44 B1 5C C7 .....i(\S.)ID.\.
0010: E2 A3 54 22 ..T"
]
]
},
{
ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
},
{
ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 87 FB AB 07 09 69 28 5C 53 05 29 49 44 B1 5C C7 .....i(\S.)ID.\.
0010: E2 A3 54 22 ..T"
]
]
}
]}
)
javax.net.ssl|ALL|01|main|2019-07-30 14:14:28.049 CEST|SSLContextImpl.java:115|trigger seeding of SecureRandom
javax.net.ssl|ALL|01|main|2019-07-30 14:14:28.049 CEST|SSLContextImpl.java:119|done seeding of SecureRandom
javax.net.ssl|DEBUG|01|main|2019-07-30 14:14:28.055 CEST|TrustStoreManager.java:112|trustStore is: truststore.jks
trustStore type is: pkcs12
trustStore provider is:
the last modified time is: Wed Apr 10 10:36:03 CEST 2019
javax.net.ssl|DEBUG|01|main|2019-07-30 14:14:28.056 CEST|X509TrustManagerImpl.java:79|adding as trusted certificates (
"certificate" : {
"version" : "v3",
"serial number" : "00 E0 97 A2 3A FB A3 C1 44",
"signature algorithm": "SHA256withRSA",
"issuer" : "EMAILADDRESS=my#e.mail, CN=My Root Certificate Authority, OU=My OU, O=Me, L=Hamburg, ST=Hamburg, C=DE",
"not before" : "2018-10-05 13:38:39.000 CEST",
"not after" : "2023-10-04 13:38:39.000 CEST",
"subject" : "EMAILADDRESS=my#e.mail, CN=My Root Certificate Authority, OU=My OU, O=Me, L=Hamburg, ST=Hamburg, C=DE",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 87 FB AB 07 09 69 28 5C 53 05 29 49 44 B1 5C C7 .....i(\S.)ID.\.
0010: E2 A3 54 22 ..T"
]
]
},
{
ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
},
{
ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 87 FB AB 07 09 69 28 5C 53 05 29 49 44 B1 5C C7 .....i(\S.)ID.\.
0010: E2 A3 54 22 ..T"
]
]
}
]}
)
javax.net.ssl|ALL|01|main|2019-07-30 14:14:28.056 CEST|SSLContextImpl.java:115|trigger seeding of SecureRandom
javax.net.ssl|ALL|01|main|2019-07-30 14:14:28.056 CEST|SSLContextImpl.java:119|done seeding of SecureRandom
javax.net.ssl|ALL|01|main|2019-07-30 14:14:28.068 CEST|SSLContextImpl.java:115|trigger seeding of SecureRandom
javax.net.ssl|ALL|01|main|2019-07-30 14:14:28.068 CEST|SSLContextImpl.java:119|done seeding of SecureRandom
2019-07-30 14:14:28.408 INFO 8257 --- [ main] o.s.c.g.r.RouteDefinitionRouteLocator : Loaded RoutePredicateFactory [After]
2019-07-30 14:14:28.408 INFO 8257 --- [ main] o.s.c.g.r.RouteDefinitionRouteLocator : Loaded RoutePredicateFactory [Before]
2019-07-30 14:14:28.408 INFO 8257 --- [ main] o.s.c.g.r.RouteDefinitionRouteLocator : Loaded RoutePredicateFactory [Between]
2019-07-30 14:14:28.408 INFO 8257 --- [ main] o.s.c.g.r.RouteDefinitionRouteLocator : Loaded RoutePredicateFactory [Cookie]
2019-07-30 14:14:28.408 INFO 8257 --- [ main] o.s.c.g.r.RouteDefinitionRouteLocator : Loaded RoutePredicateFactory [Header]
2019-07-30 14:14:28.408 INFO 8257 --- [ main] o.s.c.g.r.RouteDefinitionRouteLocator : Loaded RoutePredicateFactory [Host]
2019-07-30 14:14:28.408 INFO 8257 --- [ main] o.s.c.g.r.RouteDefinitionRouteLocator : Loaded RoutePredicateFactory [Method]
2019-07-30 14:14:28.408 INFO 8257 --- [ main] o.s.c.g.r.RouteDefinitionRouteLocator : Loaded RoutePredicateFactory [Path]
2019-07-30 14:14:28.408 INFO 8257 --- [ main] o.s.c.g.r.RouteDefinitionRouteLocator : Loaded RoutePredicateFactory [Query]
2019-07-30 14:14:28.408 INFO 8257 --- [ main] o.s.c.g.r.RouteDefinitionRouteLocator : Loaded RoutePredicateFactory [ReadBodyPredicateFactory]
2019-07-30 14:14:28.408 INFO 8257 --- [ main] o.s.c.g.r.RouteDefinitionRouteLocator : Loaded RoutePredicateFactory [RemoteAddr]
2019-07-30 14:14:28.408 INFO 8257 --- [ main] o.s.c.g.r.RouteDefinitionRouteLocator : Loaded RoutePredicateFactory [Weight]
2019-07-30 14:14:28.408 INFO 8257 --- [ main] o.s.c.g.r.RouteDefinitionRouteLocator : Loaded RoutePredicateFactory [CloudFoundryRouteService]
2019-07-30 14:14:28.828 INFO 8257 --- [ main] o.s.b.web.embedded.netty.NettyWebServer : Netty started on port(s): 8081
2019-07-30 14:14:28.832 INFO 8257 --- [ main] com.tobias.gateway.Gateway : Started Gateway in 2.114 seconds (JVM running for 2.72)
javax.net.ssl|DEBUG|29|reactor-http-nio-6|2019-07-30 14:14:36.298 CEST|HandshakeContext.java:290|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 for TLS11
javax.net.ssl|DEBUG|29|reactor-http-nio-6|2019-07-30 14:14:36.298 CEST|HandshakeContext.java:290|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 for TLS11
javax.net.ssl|DEBUG|29|reactor-http-nio-6|2019-07-30 14:14:36.298 CEST|HandshakeContext.java:290|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 for TLS11
javax.net.ssl|DEBUG|29|reactor-http-nio-6|2019-07-30 14:14:36.299 CEST|HandshakeContext.java:290|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 for TLS10
javax.net.ssl|DEBUG|29|reactor-http-nio-6|2019-07-30 14:14:36.299 CEST|HandshakeContext.java:290|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 for TLS10
javax.net.ssl|DEBUG|29|reactor-http-nio-6|2019-07-30 14:14:36.299 CEST|HandshakeContext.java:290|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 for TLS10
javax.net.ssl|DEBUG|29|reactor-http-nio-6|2019-07-30 14:14:36.308 CEST|SupportedGroupsExtension.java:841|Ignore inactive or disabled named group: ffdhe2048
javax.net.ssl|DEBUG|29|reactor-http-nio-6|2019-07-30 14:14:36.309 CEST|SupportedGroupsExtension.java:841|Ignore inactive or disabled named group: ffdhe3072
javax.net.ssl|DEBUG|29|reactor-http-nio-6|2019-07-30 14:14:36.309 CEST|SupportedGroupsExtension.java:841|Ignore inactive or disabled named group: ffdhe4096
javax.net.ssl|DEBUG|29|reactor-http-nio-6|2019-07-30 14:14:36.309 CEST|SupportedGroupsExtension.java:841|Ignore inactive or disabled named group: ffdhe6144
javax.net.ssl|DEBUG|29|reactor-http-nio-6|2019-07-30 14:14:36.309 CEST|SupportedGroupsExtension.java:841|Ignore inactive or disabled named group: ffdhe8192
javax.net.ssl|WARNING|29|reactor-http-nio-6|2019-07-30 14:14:36.313 CEST|SignatureScheme.java:282|Signature algorithm, ed25519, is not supported by the underlying providers
javax.net.ssl|WARNING|29|reactor-http-nio-6|2019-07-30 14:14:36.314 CEST|SignatureScheme.java:282|Signature algorithm, ed448, is not supported by the underlying providers
javax.net.ssl|ALL|29|reactor-http-nio-6|2019-07-30 14:14:36.317 CEST|SignatureScheme.java:358|Ignore disabled signature sheme: rsa_md5
javax.net.ssl|INFO|29|reactor-http-nio-6|2019-07-30 14:14:36.317 CEST|AlpnExtension.java:161|No available application protocols
javax.net.ssl|DEBUG|29|reactor-http-nio-6|2019-07-30 14:14:36.317 CEST|SSLExtensions.java:256|Ignore, context unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|29|reactor-http-nio-6|2019-07-30 14:14:36.318 CEST|ClientHello.java:651|Produced ClientHello handshake message (
"ClientHello": {
"client version" : "TLSv1.2",
"random" : "BC 92 B0 0D 8A 40 3B CD E7 64 2D 46 A3 49 24 55 08 48 3A BC 02 B3 31 89 20 B2 F3 68 32 AF C4 82",
"session id" : "",
"cipher suites" : "[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035)]",
"compression methods" : "00",
"extensions" : [
]
}
)
javax.net.ssl|DEBUG|29|reactor-http-nio-6|2019-07-30 14:14:36.329 CEST|SSLEngineOutputRecord.java:507|WRITE: TLS12 handshake, length = 260
javax.net.ssl|DEBUG|29|reactor-http-nio-6|2019-07-30 14:14:36.330 CEST|SSLEngineOutputRecord.java:525|Raw write (
0000: 16 03 03 01 04 01 00 01 00 03 03 BC 92 B0 0D 8A ................
0010: 40 3B CD E7 64 2D 46 A3 49 24 55 08 48 3A BC 02 #;..d-F.I$U.H:..
0020: B3 31 89 20 B2 F3 68 32 AF C4 82 00 00 10 C0 2C .1. ..h2.......,
0030: C0 2B C0 2F C0 13 C0 14 00 9C 00 2F 00 35 01 00 .+./......./.5..
0040: 00 C7 00 00 00 21 00 1F 00 00 1C 70 6C 61 79 67 .....!.....playg
0050: 72 6F 75 6E 64 2E 6D 61 63 68 69 6E 65 73 2E 6E round.machines.n
0060: 37 6C 61 62 2E 69 6F 00 05 00 05 01 00 00 00 00 7lab.io.........
0070: 00 0A 00 16 00 14 00 17 00 18 00 19 00 09 00 0A ................
0080: 00 0B 00 0C 00 0D 00 0E 00 16 00 0B 00 02 01 00 ................
0090: 00 0D 00 28 00 26 04 03 05 03 06 03 08 04 08 05 ...(.&..........
00A0: 08 06 08 09 08 0A 08 0B 04 01 05 01 06 01 04 02 ................
00B0: 03 03 03 01 03 02 02 03 02 01 02 02 00 32 00 28 .............2.(
00C0: 00 26 04 03 05 03 06 03 08 04 08 05 08 06 08 09 .&..............
00D0: 08 0A 08 0B 04 01 05 01 06 01 04 02 03 03 03 01 ................
00E0: 03 02 02 03 02 01 02 02 00 11 00 09 00 07 02 00 ................
00F0: 04 00 00 00 00 00 17 00 00 00 2B 00 07 06 03 03 ..........+.....
0100: 03 02 03 01 FF 01 00 01 00 .........
)
javax.net.ssl|DEBUG|29|reactor-http-nio-6|2019-07-30 14:14:36.357 CEST|SSLEngineInputRecord.java:177|Raw read (
0000: 15 03 03 00 02 02 28 ......(
)
javax.net.ssl|DEBUG|29|reactor-http-nio-6|2019-07-30 14:14:36.358 CEST|SSLEngineInputRecord.java:214|READ: TLSv1.2 alert, length = 2
javax.net.ssl|DEBUG|29|reactor-http-nio-6|2019-07-30 14:14:36.359 CEST|Alert.java:232|Received alert message (
"Alert": {
"level" : "fatal",
"description": "handshake_failure"
}
)
javax.net.ssl|ERROR|29|reactor-http-nio-6|2019-07-30 14:14:36.360 CEST|TransportContext.java:313|Fatal (HANDSHAKE_FAILURE): Received fatal alert: handshake_failure (
"throwable" : {
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308)
at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:279)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:181)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
at java.base/sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:672)
at java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:627)
at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:443)
at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:422)
at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:634)
at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:295)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1332)
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1227)
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1274)
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:502)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:441)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:278)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:352)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1408)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:930)
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:682)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:617)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:534)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:496)
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:906)
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
at java.base/java.lang.Thread.run(Thread.java:834)}
)

Ok, I found the answer after playing around with the server ssl configuration. The service that I route to ist a spring boot application and its ssl config restricts the cipher suites to use like this:
server.ssl.ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
And that suite can not be handled by the spring cloud gateway. If I do not set that property at all, it works.
But now I would like to know what suites the spring cloud gateway supports? And why is that a problem of the gateway at all?

SSL handshake issue on IE 11 with tomcat

When I try to access our website through IE11, SSL handshake failed. On IE, following error is displayed.
SSL Error on IE
I enabled SSL debug logging on tomcat. Result is attached.
SSL debug log
I also did a packet trace through wireshark. Result is attached.
Packet Trace
Can somebody help me in understanding, why IE sent RST and handshake is unsuccessful?
For convenience, here is the SSL debug log copy.
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
https-jsse-nio2-10443-exec-7, READ: TLSv1.2 Handshake, length = 175
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1545319557 bytes = { 241, 102, 68, 19, 196, 186, 58, 2, 142, 179, 180, 186, 80, 189, 251, 212, 30, 48, 78, 122, 139, 95, 16, 6, 61, 81, 9, 233 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods: { 0 }
Unsupported extension status_request, data: 01:00:00:00:00
Extension elliptic_curves, curve names: {unknown curve 29, secp256r1, secp384r1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA256withRSA, SHA384withRSA, SHA1withRSA, SHA256withECDSA, SHA384withECDSA, SHA1withECDSA, SHA1withDSA, SHA512withRSA, SHA512withECDSA
Unsupported extension type_35, data:
Unsupported extension type_16, data: 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31
Extension extended_master_secret
Unsupported extension type_24, data: 00:10:03:02:01:00
Extension renegotiation_info, renegotiated_connection: <empty>
***
%% Initialized: [Session-3, SSL_NULL_WITH_NULL_NULL]
Standard ciphersuite chosen: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
%% Negotiating: [Session-3, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
*** ServerHello, TLSv1.2
RandomCookie: GMT: 1545319557 bytes = { 97, 98, 78, 54, 18, 174, 216, 230, 116, 27, 86, 149, 238, 243, 141, 200, 231, 225, 54, 68, 118, 22, 87, 178, 217, 116, 246, 186 }
Session ID: {92, 28, 181, 133, 160, 19, 139, 114, 99, 216, 10, 155, 173, 137, 237, 25, 140, 59, 153, 195, 245, 204, 179, 49, 89, 205, 42, 221, 126, 28, 147, 57}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
Extension extended_master_secret
***
Cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=clockcontroller, OU=WorkForce Software, O=WorkForce Software, C=US
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: 26867932193095777263289930763858312315175451169911540270469975322434401554593517846489231467419363365037593818036593693556117551448063131659525311661292145333515905286916353710412662237765713687248571705693533912575809165971751779925378770578516513573848298027718280225066822697515300871707147459915587779589377876395738318963921532217111299410821422855058019420912762790697366719695263850247093569765798072591751245131093354944223958262752669165567038947970251243583487419772340666576477861756748688921273067030346748496043574503202045236644578277345107987729325458604284470785207456233675325551660606573693389742779
public exponent: 65537
Validity: [From: Mon Oct 22 08:56:19 EDT 2018,
To: Thu Oct 19 08:56:19 EDT 2028]
Issuer: CN=clockcontroller, OU=WorkForce Software, O=WorkForce Software, C=US
SerialNumber: [ 29565e6b]
Certificate Extensions: 1
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: F4 F5 1B CB 86 A2 7F 5E 25 2C 5D 9D 62 B8 67 45 .......^%,].b.gE
0010: 06 B5 9E 82 ....
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 16 F2 4F B7 B3 AC E9 87 27 18 C5 FC 9D 61 FF 58 ..O.....'....a.X
0010: A8 D5 9D D8 BA 9E 5A 1D E9 96 EC 17 C4 16 09 EB ......Z.........
0020: 6A F8 5E 3A 62 FC DF 73 13 A6 A7 54 D1 A0 E2 56 j.^:b..s...T...V
0030: 51 C9 7E 55 DA 89 80 1A 30 7E 31 2C 03 C4 90 84 Q..U....0.1,....
0040: 62 B9 AA 6D 0C E0 33 CB 89 59 B3 89 59 48 7F B5 b..m..3..Y..YH..
0050: 55 6B 2F CA 37 E0 96 98 FB 75 73 1C EC 4D A8 3A Uk/.7....us..M.:
0060: 89 49 C9 EA AC 8A 2F 65 F1 4D 98 74 87 F8 2D 5E .I..../e.M.t..-^
0070: 89 60 49 17 04 79 F7 EA D4 B0 C3 FF 0B 6E 98 5C .`I..y.......n.\
0080: 9D 16 AE 00 09 55 38 DB 78 23 52 68 EC 79 43 16 .....U8.x#Rh.yC.
0090: EF 28 7E 9E 27 7C 31 FD 4F AB 25 A7 13 94 AC 88 .(..'.1.O.%.....
00A0: DE 60 A8 94 15 8D F0 32 AF 7C 3A F8 DA AD 7A EA .`.....2..:...z.
00B0: FB B4 AF 77 31 8C FC 20 52 CA 36 4A 9F 1A 3E 62 ...w1.. R.6J..>b
00C0: 01 F7 EF 72 FB 06 FC 7F 83 7A 0F FB 71 EA 4C C5 ...r.....z..q.L.
00D0: 0E 14 9D 64 89 7E 85 AE 76 A7 0A 21 4E 3F E5 17 ...d....v..!N?..
00E0: 35 39 DA A8 F5 84 41 C2 38 22 80 73 A0 91 E0 11 59....A.8".s....
00F0: 2D 4F B9 A9 B5 B9 37 7A 25 EE 73 3C 32 23 C6 19 -O....7z%.s<2#..
]
***
*** ECDH ServerKeyExchange
Signature Algorithm SHA256withRSA
Server key: Sun EC public key, 256 bits
public x coord: 20009119234614195494302209861076680467201992809229109970753322221057487611764
public y coord: 17012831469688718179923828827485619723638464800697160800297861041710637731326
parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Cert Authorities:
<CN=082>
<CN=294>
<CN=1136>
<CN=1363>
<CN=1274>
<CN=1278>
<CN=528>
<CN=107>
<CN=734>
<CN=624>
<CN=104>
<CN=373>
<CN=1407>
<CN=071>
<CN=1000>
<CN=450>
<CN=1330>
<CN=607>
<CN=1353>
<CN=059>
<CN=233>
<CN=151>
<CN=911>
<CN=1272>
<CN=1259>
<CN=815>
<CN=1084>
<CN=1106>
<CN=483>
<CN=575>
<CN=1398>
<CN=357>
<CN=976>
<CN=701>
<CN=605>
<CN=204>
<CN=382>
<CN=455>
<CN=1265>
<CN=914>
<CN=1400>
<CN=363>
<CN=541>
<CN=423>
<CN=391>
<CN=933>
<CN=157>
<CN=197>
<CN=610>
<CN=174>
<CN=1064>
<CN=348>
<CN=1355>
<CN=748>
<CN=955>
<CN=212>
<CN=820>
<CN=105>
<CN=202>
<CN=281>
<CN=823>
<CN=1248>
<CN=685>
<CN=1134>
<CN=220>
<CN=045>
<CN=580>
<CN=1061>
<CN=466>
<CN=987>
<CN=988>
<CN=064>
<CN=1086>
<CN=1364>
<CN=842>
<CN=973>
<CN=460>
<CN=069>
<CN=1307>
<CN=1381>
<CN=291>
<CN=699>
<CN=882>
<CN=1179>
<CN=683>
<CN=499>
<CN=594>
<CN=1045>
<CN=474>
<CN=793>
<CN=871>
<CN=632>
<CN=1216>
<CN=1035>
<CN=870>
<CN=874>
<CN=1463>
<CN=021>
<CN=1180>
<CN=891>
<CN=1011>
<CN=130>
<CN=375>
<CN=315>
<CN=888>
<CN=1004>
<CN=023>
<CN=1176>
<CN=290>
<CN=400>
<CN=969>
<CN=709>
<CN=886>
<CN=1396>
<CN=224>
<CN=1135>
<CN=304>
<CN=1240>
<CN=989>
<CN=358>
<CN=1122>
<CN=1104>
<CN=1389>
<CN=776>
<CN=975>
<CN=1103>
<CN=1303>
<CN=1293>
<CN=1209>
<CN=1166>
<CN=853>
<CN=651>
<CN=781>
<CN=347>
<CN=974>
<CN=694>
<CN=1159>
<CN=049>
<CN=158>
<CN=1297>
<CN=1172>
<CN=526>
<CN=1031>
<CN=1490>
<CN=1024>
<CN=300>
<CN=1076>
<CN=141>
<CN=706>
<CN=381>
<CN=619>
<CN=398>
<CN=1258>
<CN=1139>
<CN=146>
<CN=428>
<CN=703>
<CN=189>
<CN=677>
<CN=166>
<CN=1168>
<CN=1251>
<CN=556>
<CN=1085>
<CN=1001>
<CN=795>
<CN=676>
<CN=999>
<CN=156>
<CN=1074>
<CN=667>
<CN=1038>
<CN=960>
<CN=560>
<CN=501>
<CN=1243>
<CN=1483>
<CN=1420>
<CN=462>
<CN=079>
<CN=1461>
<CN=857>
<CN=851>
<CN=502>
<CN=1414>
<CN=807>
<CN=198>
<CN=1261>
<CN=438>
<CN=472>
<CN=012>
<CN=1187>
<CN=707>
<CN=716>
<CN=238>
<CN=1203>
<CN=554>
<CN=342>
<CN=240>
<CN=1392>
<CN=1315>
<CN=1370>
<CN=520>
<CN=1023>
<CN=881>
<CN=048>
<CN=388>
<CN=210>
<CN=209>
<CN=1090>
<CN=095>
<CN=777>
<CN=1436>
<CN=1108>
<CN=1462>
<CN=409>
<CN=1406>
<CN=979>
<CN=817>
<CN=1354>
<CN=801>
<CN=184>
<CN=540>
<CN=116>
<CN=1464>
<CN=406>
<CN=378>
<CN=691>
<CN=659>
<CN=635>
<CN=1413>
<CN=1302>
<CN=565>
<CN=805>
<CN=121>
<CN=700>
<CN=530>
<CN=1002>
<CN=964>
<CN=385>
<CN=1481>
<CN=616>
<CN=929>
<CN=1142>
<CN=489>
<CN=552>
<CN=956>
<CN=806>
<CN=1422>
<CN=1098>
<CN=328>
<CN=1202>
<CN=1280>
<CN=093>
<CN=578>
<CN=1123>
<CN=753>
<CN=190>
<CN=949>
<CN=1430>
<CN=497>
<CN=1428>
<CN=337>
<CN=1475>
<CN=313>
<CN=1417>
<CN=250>
<CN=159>
<CN=237>
<CN=087>
<CN=215>
<CN=1022>
<CN=915>
<CN=991>
<CN=893>
<CN=840>
<CN=425>
<CN=1079>
<CN=1020>
<CN=128>
<CN=487>
<CN=448>
<CN=1057>
<CN=1041>
<CN=1252>
<CN=216>
<CN=791>
<CN=1286>
<CN=199>
<CN=912>
<CN=1182>
<CN=1115>
<CN=260>
<CN=1394>
<CN=265>
<CN=771>
<CN=814>
<CN=1277>
<CN=479>
<CN=437>
<CN=075>
<CN=1050>
<CN=1371>
<CN=505>
<CN=014>
<CN=887>
<CN=1405>
<CN=231>
<CN=1424>
<CN=177>
<CN=1132>
<CN=033>
<CN=1331>
<CN=203>
<CN=772>
<CN=862>
<CN=416>
<CN=1455>
<CN=1266>
<CN=1010>
<CN=1465>
<CN=549>
<CN=1040>
<CN=1299>
<CN=047>
<CN=491>
<CN=350>
<CN=343>
<CN=006>
<CN=433>
<CN=1184>
<CN=731>
<CN=944>
<CN=1444>
<CN=1095>
<CN=843>
<CN=1291>
<CN=211>
<CN=320>
<CN=982>
<CN=1021>
<CN=135>
<CN=138>
<CN=844>
<CN=797>
<CN=1298>
<CN=031>
<CN=1260>
<CN=1169>
<CN=595>
<CN=747>
<CN=1473>
<CN=072>
<CN=513>
<CN=968>
<CN=846>
<CN=312>
<CN=562>
<CN=938>
<CN=1171>
<CN=1336>
<CN=946>
<CN=867>
<CN=490>
<CN=650>
<CN=1387>
<CN=080>
<CN=162>
<CN=330>
<CN=1015>
<CN=704>
<CN=1219>
<CN=1474>
<CN=755>
<CN=959>
<CN=1088>
<CN=997>
<CN=1003>
<CN=179>
<CN=1033>
<CN=1173>
<CN=621>
<CN=266>
<CN=028>
<CN=894>
<CN=1054>
<CN=427>
<CN=498>
<CN=379>
<CN=305>
<CN=401>
<CN=729>
<CN=1099>
<CN=1344>
<CN=1250>
<CN=219>
<CN=604>
<CN=935>
<CN=317>
<CN=735>
<CN=456>
<CN=1043>
<CN=761>
<CN=311>
<CN=757>
<CN=546>
<CN=684>
<CN=507>
<CN=148>
<CN=061>
<CN=693>
<CN=917>
<CN=1433>
<CN=191>
<CN=1359>
<CN=1263>
<CN=1321>
<CN=108>
<CN=345>
<CN=1144>
<CN=1233>
<CN=074>
<CN=821>
<CN=1411>
<CN=150>
<CN=961>
<CN=037>
<CN=1348>
<CN=1292>
<CN=1440>
<CN=1377>
<CN=279>
<CN=713>
<CN=739>
<CN=647>
<CN=395>
<CN=114>
<CN=407>
<CN=368>
<CN=276>
<CN=262>
<CN=1468>
<CN=1479>
<CN=921>
<CN=322>
<CN=067>
<CN=1231>
<CN=1141>
<CN=147>
<CN=062>
<CN=366>
<CN=1186>
<CN=1154>
<CN=1071>
<CN=570>
<CN=1427>
<CN=393>
<CN=030>
<CN=310>
<CN=452>
<CN=1178>
<CN=1034>
<CN=732>
<CN=636>
<CN=458>
<CN=1016>
<CN=1107>
<CN=1147>
<CN=241>
<CN=896>
<CN=723>
<CN=1454>
<CN=688>
<CN=773>
<CN=1452>
<CN=426>
<CN=1485>
<CN=1198>
<CN=932>
<CN=1236>
<CN=602>
<CN=469>
<CN=985>
<CN=1197>
<CN=206>
<CN=796>
<CN=1489>
<CN=561>
<CN=653>
<CN=759>
<CN=1312>
<CN=1013>
<CN=662>
<CN=032>
<CN=623>
<CN=573>
<CN=115>
<CN=942>
<CN=812>
<CN=1447>
<CN=783>
<CN=1416>
<CN=371>
<CN=1082>
<CN=903>
<CN=780>
<CN=1358>
<CN=1162>
<CN=122>
<CN=022>
<CN=253>
<CN=869>
<CN=800>
<CN=194>
<CN=164>
<CN=365>
<CN=429>
<CN=170>
<CN=506>
<CN=1192>
<CN=1285>
<CN=503>
<CN=1287>
<CN=678>
<CN=1350>
<CN=1237>
<CN=1409>
<CN=178>
<CN=145>
<CN=711>
<CN=858>
<CN=719>
<CN=005>
<CN=1175>
<CN=884>
<CN=1019>
<CN=361>
<CN=947>
<CN=758>
<CN=571>
<CN=1025>
<CN=1322>
<CN=790>
<CN=1294>
<CN=222>
<CN=837>
<CN=389>
<CN=744>
<CN=1130>
<CN=256>
<CN=1431>
<CN=720>
<CN=1459>
<CN=436>
<CN=239>
<CN=113>
<CN=399>
<CN=649>
<CN=163>
<CN=728>
<CN=1174>
<CN=217>
<CN=027>
<CN=100>
<CN=883>
<CN=637>
<CN=1314>
<CN=085>
<CN=1375>
<CN=727>
<CN=945>
<CN=1126>
<CN=970>
<CN=890>
<CN=494>
<CN=779>
<CN=076>
<CN=485>
<CN=1110>
<CN=872>
<CN=998>
<CN=271>
<CN=063>
<CN=1466>
<CN=816>
<CN=1222>
<CN=397>
<CN=447>
<CN=527>
<CN=833>
<CN=825>
<CN=1140>
<CN=1339>
<CN=1068>
<CN=845>
<CN=741>
<CN=1226>
<CN=323>
<CN=864>
<CN=118>
<CN=171>
<CN=1234>
<CN=1380>
<CN=1116>
<CN=1471>
<CN=413>
<CN=1476>
<CN=218>
<CN=432>
<CN=1487>
<CN=1313>
<CN=1451>
<CN=408>
<CN=631>
<CN=041>
<CN=533>
<CN=854>
<CN=588>
<CN=232>
<CN=039>
<CN=1157>
<CN=547>
<CN=213>
<CN=612>
<CN=129>
<CN=629>
<CN=1214>
<CN=254>
<CN=1279>
<CN=994>
<CN=1264>
<CN=470>
<CN=751>
<CN=664>
<CN=332>
<CN=1491>
<CN=967>
<CN=1083>
<CN=1300>
<CN=1146>
<CN=1325>
<CN=1072>
<CN=557>
<CN=172>
<CN=827>
<CN=269>
<CN=1254>
<CN=051>
<CN=740>
<CN=579>
<CN=669>
<CN=550>
<CN=1138>
<CN=834>
<CN=516>
<CN=1097>
<CN=242>
<CN=1111>
<CN=390>
<CN=895>
<CN=514>
<CN=056>
<CN=1362>
<CN=1418>
<CN=316>
<CN=909>
<CN=665>
<CN=1478>
<CN=052>
<CN=1256>
<CN=268>
<CN=272>
<CN=384>
<CN=1027>
<CN=131>
<CN=1442>
<CN=566>
<CN=1094>
<CN=009>
<CN=1402>
<CN=1311>
<CN=1480>
<CN=1469>
<CN=828>
<CN=736>
<CN=134>
<CN=682>
<CN=586>
<CN=1225>
<CN=302>
<CN=717>
<CN=1319>
<CN=778>
<CN=1425>
<CN=951>
<CN=1051>
<CN=270>
<CN=1190>
<CN=077>
<CN=065>
<CN=698>
<CN=860>
<CN=1308>
<CN=1014>
<CN=1161>
<CN=919>
<CN=414>
<CN=569>
<CN=824>
<CN=1205>
<CN=900>
<CN=913>
<CN=1189>
<CN=193>
<CN=1170>
<CN=1112>
<CN=1412>
<CN=482>
<CN=173>
<CN=349>
<CN=937>
<CN=445>
<CN=003>
<CN=642>
<CN=1155>
<CN=461>
<CN=681>
<CN=420>
<CN=1343>
<CN=346>
<CN=1191>
<CN=286>
<CN=690>
<CN=092>
<CN=1360>
<CN=1255>
<CN=904>
<CN=567>
<CN=331>
<CN=591>
<CN=680>
<CN=954>
<CN=808>
<CN=309>
<CN=878>
<CN=633>
<CN=880>
<CN=175>
<CN=421>
<CN=314>
<CN=289>
<CN=1124>
<CN=873>
<CN=1269>
<CN=036>
<CN=1230>
<CN=1153>
<CN=1128>
<CN=1224>
<CN=534>
<CN=730>
<CN=936>
<CN=925>
<CN=1060>
<CN=752>
<CN=186>
<CN=1133>
<CN=525>
<CN=1048>
<CN=1366>
<CN=283>
<CN=972>
<CN=clockcontroller, OU=WorkForce Software, O=WorkForce Software, C=US>
<CN=746>
<CN=1195>
<CN=1437>
<CN=1042>
<CN=524>
<CN=106>
<CN=529>
<CN=1368>
<CN=1316>
<CN=070>
<CN=643>
<CN=750>
<CN=038>
<CN=767>
<CN=435>
<CN=195>
<CN=1143>
<CN=1129>
<CN=251>
<CN=1296>
<CN=089>
<CN=628>
<CN=261>
<CN=227>
<CN=188>
<CN=957>
<CN=248>
<CN=1193>
<CN=892>
<CN=1289>
<CN=1026>
<CN=040>
<CN=922>
<CN=326>
<CN=966>
<CN=1310>
<CN=020>
<CN=356>
<CN=661>
<CN=258>
<CN=411>
<CN=1221>
<CN=1032>
<CN=459>
<CN=725>
<CN=015>
<CN=656>
<CN=096>
<CN=017>
<CN=620>
<CN=587>
<CN=1318>
<CN=582>
<CN=626>
<CN=1125>
<CN=235>
<CN=165>
<CN=334>
<CN=590>
<CN=167>
<CN=154>
<CN=288>
<CN=103>
<CN=756>
<CN=1117>
<CN=905>
<CN=360>
<CN=1337>
<CN=849>
<CN=221>
<CN=931>
<CN=1327>
<CN=386>
<CN=1208>
<CN=1077>
<CN=001>
<CN=818>
<CN=1391>
<CN=153>
<CN=908>
<CN=086>
<CN=417>
<CN=050>
<CN=1206>
<CN=1073>
<CN=668>
<CN=392>
<CN=924>
<CN=1007>
<CN=644>
<CN=1352>
<CN=1301>
<CN=1211>
<CN=1194>
<CN=876>
<CN=1376>
<CN=338>
<CN=263>
<CN=257>
<CN=803>
<CN=1334>
<CN=1069>
<CN=369>
<CN=518>
<CN=127>
<CN=274>
<CN=1446>
<CN=016>
<CN=1284>
<CN=185>
<CN=765>
<CN=083>
<CN=1268>
<CN=1105>
<CN=544>
<CN=101>
<CN=319>
<CN=1120>
<CN=1432>
<CN=509>
<CN=245>
<CN=1435>
<CN=559>
<CN=144>
<CN=362>
<CN=1188>
<CN=712>
<CN=364>
<CN=282>
<CN=1121>
<CN=225>
<CN=663>
<CN=1372>
<CN=543>
<CN=576>
<CN=1056>
<CN=1037>
<CN=517>
<CN=136>
<CN=531>
<CN=424>
<CN=380>
<CN=615>
<CN=285>
<CN=1404>
<CN=126>
<CN=519>
<CN=1046>
<CN=1087>
<CN=1383>
<CN=267>
<CN=838>
<CN=383>
<CN=002>
<CN=1177>
<CN=434>
<CN=648>
<CN=788>
<CN=789>
<CN=899>
<CN=1055>
<CN=354>
<CN=1338>
<CN=1163>
<CN=287>
<CN=1290>
<CN=563>
<CN=1467>
<CN=1439>
<CN=965>
<CN=1183>
<CN=671>
<CN=042>
<CN=865>
<CN=1253>
<CN=584>
<CN=538>
<CN=1093>
<CN=1009>
<CN=830>
<CN=1309>
<CN=1347>
<CN=1472>
<CN=091>
<CN=724>
<CN=259>
<CN=043>
<CN=670>
<CN=596>
<CN=1148>
<CN=1395>
<CN=430>
<CN=264>
<CN=826>
<CN=109>
<CN=140>
<CN=1445>
<CN=1078>
<CN=1257>
<CN=099>
<CN=948>
<CN=1165>
<CN=273>
<CN=993>
<CN=992>
<CN=088>
<CN=234>
<CN=1458>
<CN=1500>
<CN=848>
<CN=1365>
<CN=1220>
<CN=1092>
<CN=1245>
<CN=875>
<CN=813>
<CN=1030>
<CN=094>
<CN=1346>
<CN=589>
<CN=168>
<CN=325>
<CN=901>
<CN=252>
<CN=1429>
<CN=073>
<CN=1218>
<CN=183>
<CN=117>
<CN=1119>
<CN=577>
<CN=1397>
<CN=111>
<CN=536>
<CN=1246>
<CN=1393>
<CN=769>
<CN=831>
<CN=971>
<CN=1332>
<CN=614>
<CN=053>
<CN=415>
<CN=418>
<CN=708>
<CN=058>
<CN=029>
<CN=412>
<CN=782>
<CN=512>
<CN=1357>
<CN=229>
<CN=1448>
<CN=1497>
<CN=775>
<CN=1379>
<CN=714>
<CN=835>
<CN=1062>
<CN=372>
<CN=500>
<CN=859>
<CN=453>
<CN=1239>
<CN=963>
<CN=1374>
<CN=1270>
<CN=1044>
<CN=084>
<CN=055>
<CN=1275>
<CN=810>
<CN=298>
<CN=1181>
<CN=564>
<CN=007>
<CN=522>
<CN=877>
<CN=745>
<CN=766>
<CN=1388>
<CN=1100>
<CN=1382>
<CN=277>
<CN=1006>
<CN=1212>
<CN=476>
<CN=1039>
<CN=996>
<CN=1109>
<CN=1460>
<CN=161>
<CN=119>
<CN=1118>
<CN=187>
<CN=980>
<CN=511>
<CN=123>
<CN=1434>
<CN=743>
<CN=1151>
<CN=297>
<CN=1410>
<CN=1207>
<CN=655>
<CN=718>
<CN=336>
<CN=454>
<CN=327>
<CN=930>
<CN=822>
<CN=953>
<CN=292>
<CN=1323>
<CN=024>
<CN=1317>
<CN=733>
<CN=396>
<CN=1213>
<CN=1199>
<CN=1283>
<CN=284>
<CN=444>
<CN=923>
<CN=214>
<CN=601>
<CN=645>
<CN=726>
<CN=201>
<CN=1361>
<CN=1242>
<CN=640>
<CN=861>
<CN=1340>
<CN=1326>
<CN=493>
<CN=1295>
<CN=180>
<CN=120>
<CN=608>
<CN=572>
<CN=1276>
<CN=1066>
<CN=1127>
<CN=344>
<CN=149>
<CN=1018>
<CN=568>
<CN=852>
<CN=1244>
<CN=798>
<CN=868>
<CN=060>
<CN=542>
<CN=523>
<CN=367>
<CN=1167>
<CN=1498>
<CN=532>
<CN=1356>
<CN=410>
<CN=255>
<CN=599>
<CN=1477>
<CN=1200>
<CN=786>
<CN=341>
<CN=247>
<CN=1499>
<CN=1450>
<CN=335>
<CN=403>
<CN=078>
<CN=1160>
<CN=200>
<CN=098>
<CN=666>
<CN=419>
<CN=539>
<CN=829>
<CN=301>
<CN=026>
<CN=646>
<CN=768>
<CN=990>
<CN=1036>
<CN=008>
<CN=794>
<CN=1482>
<CN=299>
<CN=1053>
<CN=638>
<CN=359>
<CN=1441>
<CN=125>
<CN=081>
<CN=464>
<CN=995>
<CN=137>
<CN=1215>
<CN=928>
<CN=1081>
<CN=958>
<CN=333>
<CN=1385>
<CN=449>
<CN=613>
<CN=1494>
<CN=181>
<CN=836>
<CN=600>
<CN=1328>
<CN=443>
<CN=370>
<CN=1349>
<CN=340>
<CN=687>
<CN=611>
<CN=496>
<CN=1384>
<CN=1271>
<CN=1185>
<CN=885>
<CN=819>
<CN=1065>
<CN=1210>
<CN=353>
<CN=1453>
<CN=1049>
<CN=439>
<CN=658>
<CN=934>
<CN=1341>
<CN=249>
<CN=521>
<CN=013>
<CN=351>
<CN=169>
<CN=792>
<CN=774>
<CN=537>
<CN=606>
<CN=1114>
<CN=548>
<CN=035>
<CN=784>
<CN=1008>
<CN=422>
<CN=394>
<CN=804>
<CN=907>
<CN=1158>
<CN=721>
<CN=1249>
<CN=770>
<CN=710>
<CN=275>
<CN=545>
<CN=749>
<CN=902>
<CN=555>
<CN=764>
<CN=1267>
<CN=939>
<CN=627>
<CN=374>
<CN=155>
<CN=705>
<CN=981>
<CN=715>
<CN=1149>
<CN=742>
<CN=307>
<CN=1320>
<CN=352>
<CN=1449>
<CN=208>
<CN=1378>
<CN=1367>
<CN=802>
<CN=639>
<CN=879>
<CN=057>
<CN=760>
<CN=1204>
<CN=597>
<CN=689>
<CN=477>
<CN=672>
<CN=738>
<CN=473>
<CN=019>
<CN=243>
<CN=465>
<CN=207>
<CN=1421>
<CN=133>
<CN=467>
<CN=1232>
<CN=244>
<CN=978>
<CN=1047>
<CN=697>
<CN=068>
<CN=660>
<CN=025>
<CN=641>
<CN=1150>
<CN=617>
<CN=855>
<CN=1102>
<CN=481>
<CN=1101>
<CN=468>
<CN=799>
<CN=763>
<CN=112>
<CN=182>
<CN=223>
<CN=1386>
<CN=1113>
<CN=1288>
<CN=920>
<CN=143>
<CN=1005>
<CN=1403>
<CN=1345>
<CN=230>
<CN=1401>
<CN=609>
<CN=280>
<CN=598>
<CN=1304>
<CN=488>
<CN=1470>
<CN=1273>
<CN=926>
<CN=811>
<CN=484>
<CN=510>
<CN=673>
<CN=1486>
<CN=1017>
<CN=832>
<CN=654>
<CN=1415>
<CN=515>
<CN=1012>
<CN=1329>
<CN=1063>
<CN=1052>
<CN=1137>
<CN=387>
<CN=592>
<CN=977>
<CN=558>
<CN=306>
<CN=762>
<CN=1495>
<CN=1228>
<CN=1080>
<CN=321>
<CN=226>
<CN=492>
<CN=847>
<CN=246>
<CN=278>
<CN=471>
<CN=630>
<CN=551>
<CN=451>
<CN=695>
<CN=625>
<CN=889>
<CN=1029>
<CN=622>
<CN=906>
<CN=696>
<CN=440>
<CN=1484>
<CN=1145>
<CN=535>
<CN=856>
<CN=1164>
<CN=754>
<CN=634>
<CN=1028>
<CN=1456>
<CN=1496>
<CN=574>
<CN=124>
<CN=950>
<CN=1373>
<CN=1390>
<CN=097>
<CN=984>
<CN=495>
<CN=446>
<CN=983>
<CN=110>
<CN=839>
<CN=010>
<CN=986>
<CN=910>
<CN=1457>
<CN=1217>
<CN=898>
<CN=034>
<CN=1335>
<CN=1058>
<CN=1229>
<CN=329>
<CN=431>
<CN=1342>
<CN=1333>
<CN=785>
<CN=692>
<CN=722>
<CN=192>
<CN=1369>
<CN=1282>
<CN=1152>
<CN=943>
<CN=553>
<CN=1247>
<CN=011>
<CN=674>
<CN=809>
<CN=318>
<CN=1426>
<CN=478>
<CN=1488>
<CN=863>
<CN=1059>
<CN=402>
<CN=1075>
<CN=004>
<CN=504>
<CN=1281>
<CN=508>
<CN=160>
<CN=1305>
<CN=377>
<CN=581>
<CN=652>
<CN=102>
<CN=657>
<CN=1223>
<CN=296>
<CN=303>
<CN=1438>
<CN=018>
<CN=1492>
<CN=441>
<CN=1235>
<CN=1241>
<CN=293>
<CN=1306>
<CN=152>
<CN=1408>
<CN=1262>
<CN=916>
<CN=139>
<CN=927>
<CN=1238>
<CN=176>
<CN=376>
<CN=593>
<CN=585>
<CN=405>
<CN=486>
<CN=404>
<CN=1399>
<CN=046>
<CN=940>
<CN=1196>
<CN=1227>
<CN=132>
<CN=457>
<CN=142>
<CN=737>
<CN=1493>
<CN=463>
<CN=675>
<CN=897>
<CN=1351>
<CN=841>
<CN=066>
<CN=1443>
<CN=205>
https-jsse-nio2-10443-exec-7, WRITE: TLSv1.2 Handshake, length = 16383
*** ServerHelloDone
https-jsse-nio2-10443-exec-7, WRITE: TLSv1.2 Handshake, length = 12558
https-jsse-nio2-10443-exec-9, called closeOutbound()
https-jsse-nio2-10443-exec-9, closeOutboundInternal()
https-jsse-nio2-10443-exec-9, SEND TLSv1.2 ALERT: warning, description = close_notify
https-jsse-nio2-10443-exec-9, WRITE: TLSv1.2 Alert, length = 2
Tomcat connector configuration is,
<Connector port="10443" protocol="org.apache.coyote.http11.Http11Nio2Protocol" maxHttpHeaderSize="4096"
maxThreads="1050" minSpareThreads="25"
maxKeepAliveRequests="-1" keepAliveTimeout="180000"
enableLookups="false" disableUploadTimeout="true"
acceptCount="10" scheme="https" secure="true" SSLEnabled="true"
clientAuth="want" sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2"
connectionTimeout="180000"
keystoreFile="file.keystore"
keystorePass="file.pass" algorithm="SunX509"
truststoreFile="file.keystore"
truststorePass="file.pass"
truststoreType="JKS"
keyAlias="tomcat"
compression="on"
compressionMinSize="2048"
trustManagerClassName="com.tomcatssl.CustomTrustManager"
useServerCipherSuitesOrder="true"
ciphers="TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_EMPTY_RENEGOTIATION_INFO_SCSV"
server="Clock Web Server"
compressableMimeType="text/html,text/xml,text/js,text/css"/>
Thank You

I'm not sure what would cause some browsers to work differently than others for sure, but I do have a guess.
When a server has a trust store configured (for a <Connector>/<SSLHostConfig>), it will advertise the list of trusted certificates to the client during the initial TLS handshake. If you have a huge number of certificates in your trust store, the server will (of course) send them all. If the client isn't expecting to receive a large number of certificates, it may fail when it runs out of space in e.g. a buffer to hold such things. My guess is that MSIE chokes on the long list of acceptable client certificates.
It's unusual for a server to use a <Connector>/<SSLHostConfig> with a large number of certificates in its trust store. Typically, if you need to trust certificates en masse, you generate a CA certificate and use it to sign the individual client certificates, keeping only that CA certificate in your trust store.
If you have a JVM-wide trust store being used for outgoing connections, then you might have a lot of certificates in there. You definitely don't want to use that one for the <Connector>/<SSLHostConfig> on your server. You should use a separate trust-store that contains only the certificates you expect to trust as client TLS certificates. Any other configuration is not secure.
For example, let's say you have VeriSign's root certificate in your trust store. That means anyone who has a client certificate signed by VeriSign can establish a connection with your server. That includes clients outside your organization or circle of trust. You should only include certificates in your trust store that you 100% trust every certificate they could ever have signed.

Make sure that your root certificate is trusted by the browser. For your case, the root is "Cisco Umbrella Root CA", which is not trusted. Follow these steps to import the certificate in browser : https://freesslcert.org/trust-freesslcert-in-browser

fx509Certificate error: Certificate public key does NOT match stored keyset

I'm in need of some serious certificate god intervention. I'm using BouncyCastle csharp to generate a CA and SSL self signed certificate. Below is the code that generates the certificates:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
//Downloaded using nuget, source: http://www.bouncycastle.org/csharp/
//Library is open-source.
namespace CertificateToolLibrary
{
using System;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
using Org.BouncyCastle.Asn1;
using Org.BouncyCastle.Asn1.X9;
using Org.BouncyCastle.Asn1.Pkcs;
using Org.BouncyCastle.Asn1.X509;
using Org.BouncyCastle.Crypto;
using Org.BouncyCastle.Crypto.Generators;
using Org.BouncyCastle.Crypto.Parameters;
using Org.BouncyCastle.Crypto.Prng;
using Org.BouncyCastle.Math;
using Org.BouncyCastle.OpenSsl;
using Org.BouncyCastle.Pkcs;
using Org.BouncyCastle.Security;
using Org.BouncyCastle.Utilities;
using Org.BouncyCastle.X509.Extension;
using Org.BouncyCastle.X509;
public class X509Certificate2Builder
{
public string SubjectName
{ set { _subjectName = value; }
get { return _subjectName; }
}
public string SubjectAlternativeName
{ set { _subjectAlternativeName = value; }
get { return _subjectAlternativeName; }
}
public string IssuerName
{ set { _issuerName = value; }
get { return _issuerName; }
}
public AsymmetricAlgorithm IssuerPrivateKey
{ set { _issuerPrivateKey = value; }
get { return _issuerPrivateKey; }
}
public X509Certificate2 Issuer
{
set
{
_issuer = value;
_issuerName = value.IssuerName.Name;
if (value.HasPrivateKey)
_issuerPrivateKey = value.PrivateKey;
}
get { return _issuer; }
}
public int? KeyStrength
{ set { _keyStrength = value ?? 2048; }
get { return _keyStrength; }
}
public DateTime? NotBefore
{ set { _notBefore = value; }
get { return _notBefore; }
}
public DateTime? NotAfter
{ set { _notAfter = value; }
get { return _notAfter; }
}
public bool Intermediate
{ set { _intermediate = value; }
get { return _intermediate; }
}
private string _subjectName;
private string _subjectAlternativeName;
private X509Certificate2 _issuer;
private string _issuerName;
private AsymmetricAlgorithm _issuerPrivateKey;
private int _keyStrength = 2048;
private DateTime? _notBefore;
private DateTime? _notAfter;
private bool _intermediate = true;
private const string KEY_CONTAINER_NAME = "cf16236d-0e91-4cb7-9670-6cdbafe54c11";
public X509Certificate2 BuildCACert(ref AsymmetricKeyParameter CaPrivateKey)
{
const int keyStrength = 2048;
// Generating Random Numbers
CryptoApiRandomGenerator randomGenerator = new CryptoApiRandomGenerator();
SecureRandom random = new SecureRandom(randomGenerator);
// The Certificate Generator
var certificateGenerator = new X509V3CertificateGenerator();
// Serial Number
BigInteger serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random);
certificateGenerator.SetSerialNumber(serialNumber);
// Signature Algorithm
certificateGenerator.SetSignatureAlgorithm("SHA512withRSA");
// Issuer and Subject Name
X509Name subjectDN = new X509Name(_subjectName);
X509Name issuerDN = subjectDN;
certificateGenerator.SetIssuerDN(issuerDN);
certificateGenerator.SetSubjectDN(subjectDN);
// Valid For
certificateGenerator.SetNotBefore(_notBefore ?? DateTime.UtcNow.Date.AddDays(-1));
certificateGenerator.SetNotAfter(_notAfter ?? DateTime.UtcNow.Date.AddYears(5));
//Turn Basic Constraints off to remove the error on scout for mozilla_pkix_error_ca_cert_used_as_end entity error:
//https://bugzilla.mozilla.org/show_bug.cgi?id=1034124
// Basic Constraints - certificate is allowed to be used as intermediate.
certificateGenerator.AddExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(_intermediate));
//Key Usage(s)
certificateGenerator.AddExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.CrlSign | KeyUsage.KeyCertSign));
// Subject Public Key
AsymmetricCipherKeyPair subjectKeyPair;
KeyGenerationParameters keyGenerationParameters = new KeyGenerationParameters(random, keyStrength);
RsaKeyPairGenerator keyPairGenerator = new RsaKeyPairGenerator();
keyPairGenerator.Init(keyGenerationParameters);
subjectKeyPair = keyPairGenerator.GenerateKeyPair();
certificateGenerator.SetPublicKey(subjectKeyPair.Public);
// Generating the Certificate
AsymmetricCipherKeyPair issuerKeyPair = subjectKeyPair;
// selfsign certificate
Org.BouncyCastle.X509.X509Certificate certificate = certificateGenerator.Generate(issuerKeyPair.Private, random);
X509Certificate2 x509 = new System.Security.Cryptography.X509Certificates.X509Certificate2(certificate.GetEncoded());
CaPrivateKey = issuerKeyPair.Private;
return x509;
}
public X509Certificate2 BuildSelfSignedCert(AsymmetricKeyParameter issuerPrivKey)
{
const int keyStrength = 2048;
// Generating Random Numbers
var randomGenerator = new CryptoApiRandomGenerator();
var random = new SecureRandom(randomGenerator);
// The Certificate Generator
var certificateGenerator = new X509V3CertificateGenerator();
// Serial Number
var serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(long.MaxValue), random);
certificateGenerator.SetSerialNumber(serialNumber);
// Signature Algorithm
certificateGenerator.SetSignatureAlgorithm("SHA512withRSA");
// Issuer and Subject Name
certificateGenerator.SetIssuerDN(new X509Name(_issuerName ?? _subjectName));
certificateGenerator.SetSubjectDN(new X509Name(_subjectName));
//Subject Alternative Name
if (!(String.IsNullOrEmpty(_subjectAlternativeName)))
{
//IP Addresss
GeneralNames dnsAltName = new GeneralNames(new GeneralName[] { new GeneralName(GeneralName.IPAddress, _subjectAlternativeName), new GeneralName(GeneralName.DnsName, _subjectAlternativeName) });
//certificateGenerator.AddExtension(X509Extensions.SubjectAlternativeName, false, subjectAltName);
certificateGenerator.AddExtension(X509Extensions.SubjectAlternativeName, false, dnsAltName);
}
// Valid For
certificateGenerator.SetNotBefore(_notBefore ?? DateTime.UtcNow.Date.AddDays(-1));
certificateGenerator.SetNotAfter(_notAfter ?? DateTime.UtcNow.Date.AddYears(5));
// Basic Constraints - SSL certificate not allowed to be used as intermediate.
certificateGenerator.AddExtension(X509Extensions.BasicConstraints, false, new BasicConstraints(false));
// Authority Key Identifier
var authorityKeyIdentifier = new AuthorityKeyIdentifierStructure(DotNetUtilities.FromX509Certificate(_issuer));
certificateGenerator.AddExtension(X509Extensions.AuthorityKeyIdentifier.Id, false, authorityKeyIdentifier);
//Key Usage(s)
certificateGenerator.AddExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.DigitalSignature | KeyUsage.NonRepudiation | KeyUsage.KeyEncipherment | KeyUsage.DataEncipherment));
//Extended Key Usage(s)
var usages = new[] { KeyPurposeID.IdKPClientAuth, KeyPurposeID.IdKPServerAuth };
certificateGenerator.AddExtension(X509Extensions.ExtendedKeyUsage.Id, false, new ExtendedKeyUsage(usages));
// Subject Public Key
AsymmetricCipherKeyPair subjectKeyPair;
var keyGenerationParameters = new KeyGenerationParameters(random, keyStrength);
var keyPairGenerator = new RsaKeyPairGenerator();
keyPairGenerator.Init(keyGenerationParameters);
subjectKeyPair = keyPairGenerator.GenerateKeyPair();
certificateGenerator.SetPublicKey(subjectKeyPair.Public);
// Generating the Certificate
AsymmetricCipherKeyPair issuerKeyPair = subjectKeyPair;
// selfsign certificate
Org.BouncyCastle.X509.X509Certificate certificate = certificateGenerator.Generate(issuerPrivKey, random);
// corresponding private key
PrivateKeyInfo info = PrivateKeyInfoFactory.CreatePrivateKeyInfo(subjectKeyPair.Private);
// merge into X509Certificate2
X509Certificate2 x509 = new System.Security.Cryptography.X509Certificates.X509Certificate2(certificate.GetEncoded());
Asn1Sequence seq = (Asn1Sequence)Asn1Object.FromByteArray(info.PrivateKey.GetDerEncoded());
if (seq.Count != 9)
{
throw new PemException("malformed sequence in RSA private key");
}
RsaPrivateKeyStructure rsa = new RsaPrivateKeyStructure(seq);
RsaPrivateCrtKeyParameters rsaparams = new RsaPrivateCrtKeyParameters(rsa.Modulus, rsa.PublicExponent, rsa.PrivateExponent, rsa.Prime1, rsa.Prime2, rsa.Exponent1, rsa.Exponent2, rsa.Coefficient);
x509.PrivateKey = ToDotNetKey(rsaparams);
return x509;
}
public static AsymmetricAlgorithm ToDotNetKey(RsaPrivateCrtKeyParameters privateKey)
{
var cspParams = new CspParameters
{
ProviderName = "Microsoft Enhanced RSA and AES Cryptographic Provider",
ProviderType = 24,
KeyContainerName = KEY_CONTAINER_NAME,
KeyNumber = (int)KeyNumber.Signature,
Flags = CspProviderFlags.UseMachineKeyStore
};
RSACryptoServiceProvider rsaProvider = new RSACryptoServiceProvider(cspParams);
RSAParameters parameters = new RSAParameters
{
Modulus = privateKey.Modulus.ToByteArrayUnsigned(),
P = privateKey.P.ToByteArrayUnsigned(),
Q = privateKey.Q.ToByteArrayUnsigned(),
DP = privateKey.DP.ToByteArrayUnsigned(),
DQ = privateKey.DQ.ToByteArrayUnsigned(),
InverseQ = privateKey.QInv.ToByteArrayUnsigned(),
D = privateKey.Exponent.ToByteArrayUnsigned(),
Exponent = privateKey.PublicExponent.ToByteArrayUnsigned()
};
rsaProvider.ImportParameters(parameters);
return rsaProvider;
}
}
}
And then, the calling code:
AsymmetricKeyParameter myCAprivateKey = null;
//CA Certificate Actions
ca2 = new X509Certificate2Builder { SubjectName = "CN=Test Certificate Authority" }.BuildCACert(ref myCAprivateKey);
X509Store castore = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
castore.Open(OpenFlags.ReadWrite | OpenFlags.MaxAllowed);
castore.Add(ca2);
castore.Close();
//build out the file name.
string localCAFile = txtPFXExport.Text + "\\TestCertificateAuthority.cer";
//export CA cert to desktop.
TestCertificateCreationUtility.Program.ExportCertificateToFileSystem(ca2, localCAFile, false, txtPFXPass.Text);
//SSL Certificate Actions
var cert2 = new X509Certificate2Builder { SubjectName = "CN=" + txtCNAME.Text, SubjectAlternativeName = txtSAN.Text, Issuer = ca2, Intermediate = true }.BuildSelfSignedCert(myCAprivateKey);
//build out the file name.
string localPFXFile = txtPFXExport.Text + "\\" + txtCNAME.Text + ".pfx";
However, when i run certutil -v -store MY, i'm getting:
================ Certificate 0 ================
X509 Certificate:
Version: 3
Serial Number: 6b1ccf343b18c7e7
Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.13 sha512RSA
Algorithm Parameters:
05 00
Issuer:
CN=Test Certificate Authority
Name Hash(sha1): e63af6f08c0a4f2e190c7bc1a406ac57e167b460
Name Hash(md5): a2f27838878e6ae3df34ed2d9b970a2d
NotBefore: 11/15/2016 7:00 PM
NotAfter: 11/16/2021 7:00 PM
Subject:
CN=10.13.206.99
Name Hash(sha1): ee5776f520e749311a56a44a5b7b15d9ffb5e678
Name Hash(md5): 187b17b18c208ad942b23763d5feacd7
Public Key Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA
Algorithm Parameters:
05 00
Public Key Length: 2048 bits
Public Key: UnusedBits = 0
0000 30 82 01 0a 02 82 01 01 00 ae 12 4d 4d 4a d8 e9
0010 f8 77 9b 2e 29 1f 94 04 d1 8c 59 2b 62 05 1a 9c
0020 0c 2a f7 62 28 ce bd 0d 44 35 18 01 8e 43 56 7b
0030 82 6f 81 79 65 fa 7b c6 1b a4 f2 21 c3 bb 14 cb
0040 79 90 5a 4e b2 fc 37 91 3d cb fe c1 a4 13 df 02
0050 2e f4 da 01 6a bd d2 59 eb af 18 3d 02 36 a6 d4
0060 9d 2a 41 72 d4 da f3 65 9c 78 f0 2a 63 df 38 a7
0070 4d cd 7a 78 67 cb 37 87 52 55 8d 68 4b 5a 7a eb
0080 32 b4 d3 de f4 67 9a 34 8a db 85 b5 bd 55 9f 99
0090 72 53 d3 92 85 aa b6 16 87 83 e0 59 11 64 e1 79
00a0 d9 03 a0 07 bd 1e cd 40 68 ec d2 06 ce 6f 88 31
00b0 34 c9 a5 34 90 fa 0c bd 50 7f fd 67 df 92 69 f5
00c0 f2 62 0c c2 f6 2a 94 62 dd 97 db 01 71 2b aa 78
00d0 3f a7 94 ba 70 e0 d3 cb d8 ae f3 87 8b c1 35 5e
00e0 e7 1d b8 00 fc 34 db 75 f0 ad b6 67 ac 6f 81 f7
00f0 6a 63 3c d3 1b f7 18 5d 83 ad 58 c1 79 2f 4a 56
0100 3e e6 3a a4 a3 94 0c 37 a5 02 03 01 00 01
Certificate Extensions: 4
2.5.29.19: Flags = 0, Length = 2
Basic Constraints
Subject Type=End Entity
Path Length Constraint=None
2.5.29.35: Flags = 0, Length = 4e
Authority Key Identifier
KeyID=a5 25 a6 c6 bf 95 07 31 0f 85 cf cc b6 0a da 16 92 f0 85 47
Certificate Issuer:
Directory Address:
CN=Test Certificate Authority
Certificate SerialNumber=11 c6 33 31 b9 42 f1 7d
2.5.29.15: Flags = 1(Critical), Length = 4
Key Usage
Digital Signature, Non-Repudiation, Key Encipherment, Data Encipherment (f0)
2.5.29.37: Flags = 0, Length = 16
Enhanced Key Usage
Client Authentication (1.3.6.1.5.5.7.3.2)
Server Authentication (1.3.6.1.5.5.7.3.1)
Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.13 sha512RSA
Algorithm Parameters:
05 00
Signature: UnusedBits=0
0000 e4 0a d2 00 0f 95 6b 8e b8 bd da ff 7d 54 5c b4
0010 d0 13 39 de 53 35 91 dd eb c5 0c 9f 1b 65 01 eb
0020 68 ad 0e b9 cc 4f 11 64 f0 30 49 95 30 5f de 4a
0030 d7 ec c6 22 db 33 c4 7e 50 d7 fc 79 1d 8c 9c 40
0040 18 9d 3b 7d 68 3d c1 51 ad e3 30 99 62 cf 5a 7a
0050 c3 fb 98 06 40 0f 2f 38 60 dd 6e 22 d5 9c df 94
0060 71 c3 a7 c9 80 1d 68 a0 59 e2 89 a6 c2 b5 9a 69
0070 c4 0a 27 d3 80 a5 77 9e 15 c6 da 79 c1 99 7a c4
0080 e7 b8 77 b6 db f8 1d c7 b9 7c 80 de 66 ac e7 38
0090 09 24 0a c5 f9 95 cd 01 0f 23 3d 2c 8f 07 5f 8e
00a0 de e2 50 2e 54 44 72 76 f6 1f 64 d2 bf 47 39 98
00b0 08 79 87 7b f0 c3 c0 bb 69 1d f3 97 1f ab 70 d1
00c0 d7 5b ee 18 08 fc e6 a2 92 73 28 65 98 6e 45 36
00d0 59 8d 37 78 83 e8 80 6b 66 cc ae 49 14 2c 28 11
00e0 29 b3 b3 22 81 b7 27 d7 33 84 d7 75 8c 4d 90 c4
00f0 11 5b c2 11 9b f6 f1 5d d3 6a 04 e1 65 4e 49 69
Non-root Certificate
Key Id Hash(rfc-sha1): cd a7 52 88 42 30 3b f8 9d bf 05 cd 05 52 f8 fa 22 36 8f 48
Key Id Hash(sha1): 2a 62 63 b4 80 89 57 d0 bb a1 ac 34 1e 06 f0 45 7f 92 61 07
Key Id Hash(md5): 595eb604a64cea82117caae36148fbfd
Key Id Hash(sha256): 0df22d23712b109af3cce45abe23ea6f666e756dad3c2b6dbffad05946fefcbf
Cert Hash(md5): dd 7e 1a 00 10 30 67 c7 b9 1e 5f ea b0 09 c3 6e
Cert Hash(sha1): 87 d4 8c 1d 52 44 10 d9 ff 71 9f c8 31 80 20 34 d6 82 03 94
Cert Hash(sha256): 81ab6f802ed270f184d2e96fbd0e34953a228c5185f0812574b3373048882edf
Signature Hash: f4b1c5cba4228969ccdccd237078ace1e249673edcf2465cd399a0a14bf64ee47ebf4a9feb062c504b95772eebcab9a89eeeced558f42788876add2ce0b5531c
CERT_MD5_HASH_PROP_ID(4):
dd 7e 1a 00 10 30 67 c7 b9 1e 5f ea b0 09 c3 6e
CERT_SHA1_HASH_PROP_ID(3):
87 d4 8c 1d 52 44 10 d9 ff 71 9f c8 31 80 20 34 d6 82 03 94
CERT_KEY_PROV_INFO_PROP_ID(2):
Key Container = {6E928910-36B1-4C1A-8B72-CF33D5C85C98}
Unique container name: 5619e9cf0e097e0aa54f3dcfec6a06c7_521b1f9c-0dde-4e20-b00f-1cf68cd6e71b
Provider = Microsoft Enhanced RSA and AES Cryptographic Provider
ProviderType = 18
Flags = 20 (32)
CRYPT_MACHINE_KEYSET -- 20 (32)
KeySpec = 2 -- AT_SIGNATURE
CERT_KEY_IDENTIFIER_PROP_ID(20):
2a 62 63 b4 80 89 57 d0 bb a1 ac 34 1e 06 f0 45 7f 92 61 07
Provider = Microsoft Enhanced RSA and AES Cryptographic Provider
ProviderType = 18
Unique container name: 5619e9cf0e097e0aa54f3dcfec6a06c7_521b1f9c-0dde-4e20-b00f-1cf68cd6e71b
RSA
PP_KEYSTORAGE = 1
CRYPT_SEC_DESCR -- 1
KP_PERMISSIONS = 3f (63)
CRYPT_ENCRYPT -- 1
CRYPT_DECRYPT -- 2
CRYPT_EXPORT -- 4
CRYPT_READ -- 8
CRYPT_WRITE -- 10 (16)
CRYPT_MAC -- 20 (32)
D:AI(A;ID;GAGR;;;S-1-5-21-3932969098-2735528041-405945392-1012)(A;ID;GR;;;WD)(A;ID;GAGR;;;BA)
Allow Full Control TEST\Test
Allow Read Everyone
Allow Full Control BUILTIN\Administrators
Certificate Public Key:
Version: 3
Public Key Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA
Algorithm Parameters:
05 00
Public Key Length: 2048 bits
Public Key: UnusedBits = 0
0000 30 82 01 0a 02 82 01 01 00 ae 12 4d 4d 4a d8 e9
0010 f8 77 9b 2e 29 1f 94 04 d1 8c 59 2b 62 05 1a 9c
0020 0c 2a f7 62 28 ce bd 0d 44 35 18 01 8e 43 56 7b
0030 82 6f 81 79 65 fa 7b c6 1b a4 f2 21 c3 bb 14 cb
0040 79 90 5a 4e b2 fc 37 91 3d cb fe c1 a4 13 df 02
0050 2e f4 da 01 6a bd d2 59 eb af 18 3d 02 36 a6 d4
0060 9d 2a 41 72 d4 da f3 65 9c 78 f0 2a 63 df 38 a7
0070 4d cd 7a 78 67 cb 37 87 52 55 8d 68 4b 5a 7a eb
0080 32 b4 d3 de f4 67 9a 34 8a db 85 b5 bd 55 9f 99
0090 72 53 d3 92 85 aa b6 16 87 83 e0 59 11 64 e1 79
00a0 d9 03 a0 07 bd 1e cd 40 68 ec d2 06 ce 6f 88 31
00b0 34 c9 a5 34 90 fa 0c bd 50 7f fd 67 df 92 69 f5
00c0 f2 62 0c c2 f6 2a 94 62 dd 97 db 01 71 2b aa 78
00d0 3f a7 94 ba 70 e0 d3 cb d8 ae f3 87 8b c1 35 5e
00e0 e7 1d b8 00 fc 34 db 75 f0 ad b6 67 ac 6f 81 f7
00f0 6a 63 3c d3 1b f7 18 5d 83 ad 58 c1 79 2f 4a 56
0100 3e e6 3a a4 a3 94 0c 37 a5 02 03 01 00 01
Key Id Hash(rfc-sha1): cd a7 52 88 42 30 3b f8 9d bf 05 cd 05 52 f8 fa 22 36 8f 48
Key Id Hash(sha1): 2a 62 63 b4 80 89 57 d0 bb a1 ac 34 1e 06 f0 45 7f 92 61 07
Container Public Key:
Public Key Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA
Algorithm Parameters: NULL
Public Key Length: 1024 bits
Public Key: UnusedBits = 0
0000 30 81 89 02 81 81 00 a2 66 92 2b 96 67 60 b5 2d
0010 c9 34 ed ec 1f 51 d2 24 98 59 de f4 3c 47 bd 84
0020 a3 49 5d d9 a6 a7 33 86 b8 36 d7 02 f5 c0 e9 65
0030 84 b8 7b 65 76 3c f9 b7 74 9a 16 3d 6f 5f 23 0d
0040 fe 67 b7 47 a2 ab 4c e3 0b ee 17 19 e1 21 8a 8a
0050 6a df 65 2b 9d 8c 50 cf ac 0d af 0f d4 64 b5 58
0060 4b a5 63 ea 6f 90 84 a9 92 ac 2e fe 0f cc e4 46
0070 e1 de b6 e6 3d ce 5a 72 af 28 39 23 65 35 42 01
0080 5f ce 90 9f 52 1a 79 02 03 01 00 01
Key Id Hash(rfc-sha1): 1a 77 b0 aa 49 b1 fe d0 93 d6 dc e2 64 ed 34 62 0c 09 da da
Key Id Hash(sha1): 9e 60 9d fc b2 f1 ef 16 d2 7e 5a bc de 51 e1 ab 63 24 eb 67
ERROR: Certificate public key does NOT match stored keyset
Signature test FAILED
CertUtil: -store command completed successfully.
The key part of that verification being: ERROR: Certificate public key does NOT match stored keyset
Signature test FAILED
Does anyone have any idea why this is failing? I'm just trying to get it to pass. I'm really at my wits end on this as if you google "ERROR: Certificate public key does NOT match stored keyset" or "Signature test FAILED" there is exceedingly little information out there on programmatic solutions to this issue.
Any help is HUGELY appreciated. Thank you.

Ok, found the answer. This code, using the BouncyCastle 1.8.1 csharp library will generate a CA certificate and a self-signed certificate.
The invoking code:
using System;
using System.IO;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Windows.Forms;
using CertificateToolLibrary;
using System.Net.Sockets;
using System.Security.Principal;
using System.Security.Cryptography;
using Microsoft.Win32;
using System.Security.AccessControl;
using SecureString = System.Security.SecureString;
using System.Security.Cryptography.X509Certificates;
using System.Configuration;
using Org.BouncyCastle.Crypto;
using Org.BouncyCastle.Security;
X509Certificate2 ca2 = null;
AsymmetricKeyParameter myCAprivateKey = null;
AsymmetricKeyParameter myCApubKey = null;
//CA Certificate Actions
ca2 = new X509Certificate2Builder { SubjectName = "Test-Certificate-Authority" }.BuildCACert(ref myCApubKey, ref myCAprivateKey);
X509Store castore = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
castore.Open(OpenFlags.ReadWrite | OpenFlags.MaxAllowed);
castore.Add(ca2);
castore.Close();
//build out the file name.
string localCAFile = txtPFXExport.Text + "\\TestCertificateAuthority.cer";
//export CA cert to desktop.
TestCertificateCreationUtility.Program.ExportCertificateToFileSystem(ca2, localCAFile, false, "password");
//SSL Certificate Actions
var cert2 = new X509Certificate2Builder { SubjectName = txtCNAME.Text, SubjectAlternativeName = txtSAN.Text, Issuer = ca2 }.BuildSelfSignedCert(ca2, myCApubKey, myCAprivateKey);
//build out the file name.
string localPFXFile = txtPFXExport.Text + "\\" + txtCNAME.Text + ".pfx";
//export SSL cert to desktop.
bool status = TestCertificateCreationUtility.Program.ExportCertificateToFileSystem(cert2, localPFXFile, true, "password");
The library code:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
//Downloaded using nuget, source: http://www.bouncycastle.org/csharp/
//Library is open-source.
namespace CertificateToolLibrary
{
using System;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
using Org.BouncyCastle.Asn1;
using Org.BouncyCastle.Asn1.X9;
using Org.BouncyCastle.Asn1.Pkcs;
using Org.BouncyCastle.Asn1.X509;
using Org.BouncyCastle.Crypto;
using Org.BouncyCastle.Crypto.Generators;
using Org.BouncyCastle.Crypto.Parameters;
using Org.BouncyCastle.Crypto.Prng;
using Org.BouncyCastle.Math;
using Org.BouncyCastle.OpenSsl;
using Org.BouncyCastle.Pkcs;
using Org.BouncyCastle.Security;
using Org.BouncyCastle.Utilities;
using Org.BouncyCastle.X509.Extension;
using Org.BouncyCastle.X509;
using Org.BouncyCastle.Crypto.Operators;
public class X509Certificate2Builder
{
public string SubjectName
{ set { _subjectName = value; }
get { return _subjectName; }
}
public string SubjectAlternativeName
{ set { _subjectAlternativeName = value; }
get { return _subjectAlternativeName; }
}
public string IssuerName
{ set { _issuerName = value; }
get { return _issuerName; }
}
public AsymmetricAlgorithm IssuerPrivateKey
{ set { _issuerPrivateKey = value; }
get { return _issuerPrivateKey; }
}
public X509Certificate2 Issuer
{
set
{
_issuer = value;
_issuerName = value.IssuerName.Name;
if (value.HasPrivateKey)
_issuerPrivateKey = value.PrivateKey;
}
get { return _issuer; }
}
public int? KeyStrength
{ set { _keyStrength = value ?? 2048; }
get { return _keyStrength; }
}
public DateTime? NotBefore
{ set { _notBefore = value; }
get { return _notBefore; }
}
public DateTime? NotAfter
{ set { _notAfter = value; }
get { return _notAfter; }
}
public bool Intermediate
{ set { _intermediate = value; }
get { return _intermediate; }
}
private string _subjectName;
private string _subjectAlternativeName;
private X509Certificate2 _issuer;
private string _issuerName;
private AsymmetricAlgorithm _issuerPrivateKey;
private int _keyStrength = 2048;
private DateTime? _notBefore;
private DateTime? _notAfter;
private bool _intermediate = true;
private const string KEY_CONTAINER_NAME = "cf16236d-0e91-4cb7-9670-6cdbafe54c11";
public X509Certificate2 BuildCACert(ref AsymmetricKeyParameter CaPubKey, ref AsymmetricKeyParameter CaPrivateKey)
{
const int keyStrength = 2048;
// Generating Random Numbers
CryptoApiRandomGenerator randomGenerator = new CryptoApiRandomGenerator();
SecureRandom random = new SecureRandom(randomGenerator);
// The Certificate Generator
X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator();
// Serial Number
BigInteger serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random);
certificateGenerator.SetSerialNumber(serialNumber);
// Signature Algorithm
certificateGenerator.SetSignatureAlgorithm("SHA512withRSA");
// Issuer and Subject Name
X509Name subjectDN = new X509Name("CN=" + _subjectName);
X509Name issuerDN = subjectDN;
certificateGenerator.SetIssuerDN(issuerDN);
certificateGenerator.SetSubjectDN(subjectDN);
// Valid For
certificateGenerator.SetNotBefore(_notBefore ?? DateTime.UtcNow.Date.AddDays(-1));
certificateGenerator.SetNotAfter(_notAfter ?? DateTime.UtcNow.Date.AddYears(5));
//Turn Basic Constraints off to remove the error on scout for mozilla_pkix_error_ca_cert_used_as_end entity error:
//https://bugzilla.mozilla.org/show_bug.cgi?id=1034124
// Basic Constraints - certificate is allowed to be used as intermediate.
certificateGenerator.AddExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(_intermediate));
//Key Usage(s)
certificateGenerator.AddExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.KeyCertSign));
// Subject Public Key
AsymmetricCipherKeyPair subjectKeyPair;
KeyGenerationParameters keyGenerationParameters = new KeyGenerationParameters(random, keyStrength);
RsaKeyPairGenerator keyPairGenerator = new RsaKeyPairGenerator();
keyPairGenerator.Init(keyGenerationParameters);
subjectKeyPair = keyPairGenerator.GenerateKeyPair();
certificateGenerator.SetPublicKey(subjectKeyPair.Public);
// Subject Key Identifier
certificateGenerator.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(subjectKeyPair.Public));
// Generating the Certificate
AsymmetricCipherKeyPair issuerKeyPair = subjectKeyPair;
ISignatureFactory signatureFactory = new Asn1SignatureFactory("SHA512WITHRSA", issuerKeyPair.Private, random);
// corresponding private key
PrivateKeyInfo info = PrivateKeyInfoFactory.CreatePrivateKeyInfo(subjectKeyPair.Private);
// selfsign certificate
Org.BouncyCastle.X509.X509Certificate certificate = certificateGenerator.Generate(signatureFactory);
X509Certificate2 x509 = new X509Certificate2(certificate.GetEncoded(), string.Empty, X509KeyStorageFlags.Exportable);
Asn1Sequence seq = (Asn1Sequence)Asn1Object.FromByteArray(info.PrivateKey.GetDerEncoded());
if (seq.Count != 9)
{
throw new PemException("malformed sequence in RSA private key");
}
RsaPrivateKeyStructure rsa = new RsaPrivateKeyStructure(seq);
RsaPrivateCrtKeyParameters rsaparams = new RsaPrivateCrtKeyParameters(rsa.Modulus, rsa.PublicExponent, rsa.PrivateExponent, rsa.Prime1, rsa.Prime2, rsa.Exponent1, rsa.Exponent2, rsa.Coefficient);
x509.PrivateKey = ToDotNetKey(rsaparams);
CaPubKey = issuerKeyPair.Public;
CaPrivateKey = issuerKeyPair.Private;
return x509;
}
public X509Certificate2 BuildSelfSignedCert(X509Certificate2 ca ,AsymmetricKeyParameter issuerPubKey, AsymmetricKeyParameter issuerPrivKey)
{
const int keyStrength = 2048;
// Generating Random Numbers
var randomGenerator = new CryptoApiRandomGenerator();
var random = new SecureRandom(randomGenerator);
ISignatureFactory signatureFactory = new Asn1SignatureFactory("SHA512WITHRSA", issuerPrivKey, random);
// The Certificate Generator
var certificateGenerator = new X509V3CertificateGenerator();
// Serial Number
var serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(long.MaxValue), random);
certificateGenerator.SetSerialNumber(serialNumber);
// Signature Algorithm
certificateGenerator.SetSignatureAlgorithm("SHA512withRSA");
// Issuer and Subject Name
certificateGenerator.SetIssuerDN(new X509Name(_issuerName));
certificateGenerator.SetSubjectDN(new X509Name("CN=" + _subjectName));
//Subject Alternative Name
if (!(String.IsNullOrEmpty(_subjectAlternativeName)))
{
//IP Addresss
GeneralNames dnsAltName = new GeneralNames(new GeneralName[] {
new GeneralName(GeneralName.IPAddress, _subjectName),
new GeneralName(GeneralName.DnsName, _subjectName),
new GeneralName(GeneralName.IPAddress, _subjectAlternativeName),
new GeneralName(GeneralName.DnsName, _subjectAlternativeName),
});
//certificateGenerator.AddExtension(X509Extensions.SubjectAlternativeName, false, subjectAltName);
certificateGenerator.AddExtension(X509Extensions.SubjectAlternativeName, false, dnsAltName);
}
// Valid For
certificateGenerator.SetNotBefore(_notBefore ?? DateTime.UtcNow.Date.AddDays(-1));
certificateGenerator.SetNotAfter(_notAfter ?? DateTime.UtcNow.Date.AddYears(5));
//Key Usage(s)
certificateGenerator.AddExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.DigitalSignature | KeyUsage.NonRepudiation | KeyUsage.KeyEncipherment | KeyUsage.DataEncipherment));
//Extended Key Usage(s)
var usages = new[] { KeyPurposeID.IdKPClientAuth, KeyPurposeID.IdKPServerAuth };
certificateGenerator.AddExtension(X509Extensions.ExtendedKeyUsage.Id, false, new ExtendedKeyUsage(usages));
// Subject Public Key
AsymmetricCipherKeyPair subjectKeyPair;
var keyGenerationParameters = new KeyGenerationParameters(random, keyStrength);
var keyPairGenerator = new RsaKeyPairGenerator();
keyPairGenerator.Init(keyGenerationParameters);
subjectKeyPair = keyPairGenerator.GenerateKeyPair();
certificateGenerator.SetPublicKey(subjectKeyPair.Public);
// Generating the Certificate
AsymmetricCipherKeyPair issuerKeyPair = subjectKeyPair;
// Authority Key Identifier
certificateGenerator.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(issuerPubKey));
// Subject Key Identifier
certificateGenerator.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(subjectKeyPair.Public));
// selfsign certificate
Org.BouncyCastle.X509.X509Certificate certificate = certificateGenerator.Generate(signatureFactory);
// corresponding private key
PrivateKeyInfo info = PrivateKeyInfoFactory.CreatePrivateKeyInfo(subjectKeyPair.Private);
// merge into X509Certificate2
X509Certificate2 x509 = new System.Security.Cryptography.X509Certificates.X509Certificate2(certificate.GetEncoded(), string.Empty, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet);
Asn1Sequence seq = (Asn1Sequence)Asn1Object.FromByteArray(info.PrivateKey.GetDerEncoded());
if (seq.Count != 9)
{
throw new PemException("malformed sequence in RSA private key");
}
RsaPrivateKeyStructure rsa = new RsaPrivateKeyStructure(seq);
RsaPrivateCrtKeyParameters rsaparams = new RsaPrivateCrtKeyParameters(rsa.Modulus, rsa.PublicExponent, rsa.PrivateExponent, rsa.Prime1, rsa.Prime2, rsa.Exponent1, rsa.Exponent2, rsa.Coefficient);
x509.PrivateKey = ToDotNetKey(rsaparams);
return x509;
}
/// <summary>
/// Converts a Bouncy Castle key object into a .NET key object
/// </summary>
/// <param name="privateKey">A bouncy castle key object</param>
/// <returns>A .NET key object</returns>
public static AsymmetricAlgorithm ToDotNetKey(RsaPrivateCrtKeyParameters privateKey)
{
var cspParams = new CspParameters
{
ProviderName = "Microsoft Strong Cryptographic Provider",
ProviderType = 1,
KeyContainerName = Guid.NewGuid().ToString(),
KeyNumber = (int)KeyNumber.Exchange,
Flags = CspProviderFlags.UseMachineKeyStore
};
RSACryptoServiceProvider rsaProvider = new RSACryptoServiceProvider(cspParams);
RSAParameters parameters = new RSAParameters
{
Modulus = privateKey.Modulus.ToByteArrayUnsigned(),
P = privateKey.P.ToByteArrayUnsigned(),
Q = privateKey.Q.ToByteArrayUnsigned(),
DP = privateKey.DP.ToByteArrayUnsigned(),
DQ = privateKey.DQ.ToByteArrayUnsigned(),
InverseQ = privateKey.QInv.ToByteArrayUnsigned(),
D = privateKey.Exponent.ToByteArrayUnsigned(),
Exponent = privateKey.PublicExponent.ToByteArrayUnsigned()
};
rsaProvider.ImportParameters(parameters);
rsaProvider.PersistKeyInCsp = true;
return rsaProvider;
}
/// <summary>
/// Converts a .NET key object into a Bouncy Castle key object
/// </summary>
/// <param name="privateKey">A .NET key object</param>
/// <param name="isPrivate">True if the key is private, false if it is public</param>
/// <returns>A Bouncy Castle key object</returns>
public static RsaKeyParameters ToBouncyCastleKey(AsymmetricAlgorithm dotNetKey, bool isPrivate)
{
RSACryptoServiceProvider prov = dotNetKey as RSACryptoServiceProvider;
RSAParameters parameters = prov.ExportParameters(isPrivate);
if (isPrivate)
{
return new RsaPrivateCrtKeyParameters(
new BigInteger(1, parameters.Modulus),
new BigInteger(1, parameters.Exponent),
new BigInteger(1, parameters.D),
new BigInteger(1, parameters.P),
new BigInteger(1, parameters.Q),
new BigInteger(1, parameters.DP),
new BigInteger(1, parameters.DQ),
new BigInteger(1, parameters.InverseQ)
);
}
else
{
return new RsaKeyParameters(
false,
new BigInteger(1, parameters.Modulus),
new BigInteger(1, parameters.Exponent)
);
}
}
}
}

Couldn't not able to establish two-way SSL connection

Using plain java client i'm trying to connect to other webserver, It works on standlone but when i deploy on weblogic and try to connect it give below error.
Server :weblogic 10.3
Full stack trace of SSL: with below stactrace it easily sounds that handshake is happening but again its trying to connect and failing .please suggest me where i'm doing wrong.
code snippet i'm using :
FileInputStream fisjks = null;
FileInputStream fisTrusted = null;
String keyStoreType = "jks";
String passphrase = "password";
String passphraseTrusted = "password";
KeyStore ks = KeyStore.getInstance(keyStoreType);
fisjks = new FileInputStream("C:/CFC/Certs/client.jks");
ks.load(fisjks, passphrase.toCharArray());
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(ks, passphrase.toCharArray());
KeyStore ks1 = KeyStore.getInstance(keyStoreType);
fisTrusted = new FileInputStream("C:/CFC/Certs/clientTruststore.jks");
ks1.load(fisTrusted, passphraseTrusted.toCharArray());
TrustManagerFactory tmf = TrustManagerFactory
.getInstance("PKIX");
tmf.init(ks1);
SSLContext sslc = SSLContext.getInstance("SSLv3");
sslc.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
HttpsTransportInfo https = new HttpsTransportInfo();
https.setKeyManagers(kmf.getKeyManagers());
https.setTrustManagers(tmf.getTrustManagers());
error stack trace:
found key for : 1 chain [0] = [ [ Version: V3 Subject:
EMAILADDRESS=ravi-kumar.gullapalli#db.com, CN=dbsinlt3767, OU=deutsche
bank, O=deutsche bank, L=sg, ST=sg, C=sg Signature Algorithm:
SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits modulus:
144592527724012074845004082487794424487354455673579096476940872358533141438065735825819894128056692571922940458543755331194643176374687100664359963995916933269788855991350833527371185749001888440965012790605437863243747901365797345245355690011955852557580366177837112034836139958497356357064447873318654927713
public exponent: 65537 Validity: [From: Sun Mar 13 17:23:02 SGT
2011,
To: Wed Mar 07 17:23:02 SGT 2012] Issuer: EMAILADDRESS=ravi-kumar.gullapalli#db.com, CN=dbsinws3283, OU=deutsche
bank, O=deutsche bank, L=sg, ST=sg, C=sg SerialNumber: [ 1001]
Certificate Extensions: 4 [1]: ObjectId: 2.16.840.1.113730.1.13
Criticality=false Extension unknown: DER encoded OCTET string = 0000:
04 1F 16 1D 4F 70 65 6E 53 53 4C 20 47 65 6E 65 ....OpenSSL Gene
0010: 72 61 74 65 64 20 43 65 72 74 69 66 69 63 61 74 rated
Certificat 0020: 65 e
[2]: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [
KeyIdentifier [ 0000: 75 87 47 BE 09 C0 D9 C7 4F FB 5F 57 1D F7 77
99 u.G.....O._W..w. 0010: CF 12 FB DB
.... ] ]
[3]: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [
KeyIdentifier [ 0000: 96 83 10 39 C4 C0 8F 54 5E 0F 85 A0 9C D4 85
71 ...9...T^......q 0010: FC 55 39 9A
.U9. ]
]
* main, SEND TLSv1 ALERT: fatal, description = certificate_unknown main, WRITE: TLSv1 Alert, length = 2 [Raw write]: length = 7 0000: 15
03 01 00 02 02 2E ....... main, called
closeSocket() main, handling exception:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: No trusted certificate
found at
weblogic.wsee.jaxrpc.ServiceImpl.throwServiceException(ServiceImpl.java:174)
at
weblogic.wsee.jaxrpc.ServiceImpl.loadWsdlDefinition(ServiceImpl.java:485)
at weblogic.wsee.jaxrpc.ServiceImpl.(ServiceImpl.java:119) at
com.db.luup.InvoiceAgentService_Impl.(Unknown Source) at
com.db.mobile.test.LuupMobileClientTest1.main(LuupMobileClientTest1.java:78)
Caused by: weblogic.wsee.wsdl.WsdlException: Failed to read wsdl file
from url due to -- javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: No trusted certificate
found at
weblogic.wsee.wsdl.WsdlReader.getDocument(WsdlReader.java:313) at
weblogic.wsee.wsdl.WsdlReader.getDocument(WsdlReader.java:305) at
weblogic.wsee.wsdl.WsdlSchema.parse(WsdlSchema.java:136) at
weblogic.wsee.wsdl.WsdlSchemaImport.parse(WsdlSchemaImport.java:99)
at weblogic.wsee.wsdl.WsdlSchema.parse(WsdlSchema.java:116) at
weblogic.wsee.wsdl.WsdlSchema.parse(WsdlSchema.java:73) at
weblogic.wsee.wsdl.WsdlTypes.parse(WsdlTypes.java:165) at
weblogic.wsee.wsdl.WsdlDefinitions.parseChild(WsdlDefinitions.java:520)
at weblogic.wsee.wsdl.WsdlExtensible.parse(WsdlExtensible.java:98)
at weblogic.wsee.wsdl.WsdlDefinitions.parse(WsdlDefinitions.java:468)
at weblogic.wsee.wsdl.WsdlDefinitions.parse(WsdlDefinitions.java:403)
at weblogic.wsee.wsdl.WsdlDefinitions.parse(WsdlDefinitions.java:389)
at weblogic.wsee.wsdl.WsdlFactory.parse(WsdlFactory.java:79) at
weblogic.wsee.wsdl.WsdlFactory.parse(WsdlFactory.java:66) at
weblogic.wsee.jaxrpc.ServiceImpl.loadWsdlDefinition(ServiceImpl.java:476)
... 3 more Caused by: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: No trusted certificate
found at
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1611)
at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1035)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:124)
at
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
at
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1112)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1139)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
at
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1049)
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
at
weblogic.wsee.util.is.InputSourceUtil.loadURL(InputSourceUtil.java:100)
at
weblogic.wsee.util.dom.DOMParser.getWebLogicDocumentImpl(DOMParser.java:118)
at weblogic.wsee.util.dom.DOMParser.getDocument(DOMParser.java:65)
at weblogic.wsee.wsdl.WsdlReader.getDocument(WsdlReader.java:311)
... 17 more Caused by: sun.security.validator.ValidatorException: No
trusted certificate found at
sun.security.validator.SimpleValidator.buildTrustedChain(SimpleValidator.java:330)
at
sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:110)
at sun.security.validator.Validator.validate(Validator.java:218) at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1014)
... 32 more

The server didn't trust the client certificate, or vice versa.

If the error stack is from the client application, then the file C:/CFC/Certs/clientTruststore.jks must have the CA certificate for the server certifcate's Issuer.
"No trusted certificate found". The client cannot verify the server's certificate since a matching CA certificate is not found in the truststore.