Apache HttpClient and PEM certificate files
I'd like to programmatically access a site that requires Client certificates, which I have in PEM files. In this application I don't want to add them to my keystore, use keytool, or openssl if I can avoid doing so. I need to deal with them directly in code.
HttpClient httpclient = new DefaultHttpClient();
HttpGet httpget = new HttpGet("https://my.secure.site.com/url");
// TODO: Specify ca.pem and client.pem here?
HttpResponse response = httpclient.execute(httpget);
HttpEntity entity = response.getEntity();
if (entity != null) {
entity.consumeContent();
}
httpclient.getConnectionManager().shutdown();
How would I 'send' the certificate with the request?
Answer
Easiest may well be to use the .p12 format (though the others work fine too - just be careful with extra lines outside the base64 blocks) and add something like:
// systems I trust
System.setProperty("javax.net.ssl.trustStore", "foo");
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
// my credentials
System.setProperty("javax.net.ssl.keyStoreType", "PKCS12");
System.setProperty("javax.net.ssl.keyStore", "cert.p12");
System.setProperty("javax.net.ssl.keyStorePassword", "changeit");
Or alternatively - use things like
KeyStore ks = KeyStore.getInstance( "pkcs12" );
ks.load( new FileInputStream( ....), "mypassword".toCharArray() );
KeyStore jks = KeyStore.getInstance( "JKS" );
ks.load(...
to create above on the fly instead. And rather than rely on the system property - use somethng like:
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(aboveKeyStore, "changeme".toCharArray());
sslContext = SSLContext.getInstance("SSLv3");
sslContext.init(kmf.getKeyManagers(), null, null);
which keeps it separate from keystore.
DW.