client-certificates – Tarik Billa

What is the right way to send a client certificate with every request made by the resttemplate in spring?

January 6, 2024 by Tarik

Here is example how to do this using RestTemplate and Apache HttpClient You should define your own RestTemplate with configured SSL context: @Bean public RestTemplate restTemplate(RestTemplateBuilder builder) throws Exception { char[] password = “password”.toCharArray(); SSLContext sslContext = SSLContextBuilder.create() .loadKeyMaterial(keyStore(“classpath:cert.jks”, password), password) .loadTrustMaterial(null, new TrustSelfSignedStrategy()).build(); HttpClient client = HttpClients.custom().setSSLContext(sslContext).build(); return builder .requestFactory(new HttpComponentsClientHttpRequestFactory(client)) .build(); } private … Read more

How Chrome browser know which client certificate to prompt for a site?

December 15, 2023 by Tarik

The client certificate authentication is ruled in the handshake phase of the SSL/TLS protocol implemented by browsers. If the server requires a client certificate authentication (it is optional), send a message to client with the list of the accepted certificate authorities (CA). Can be void if server accepts any certificate. The client select the certificates … Read more

Solving sslv3 alert handshake failure when trying to use a client certificate

November 27, 2023 by Tarik

Not a definite answer but too much to fit in comments: I hypothesize they gave you a cert that either has a wrong issuer (although their server could use a more specific alert code for that) or a wrong subject. We know the cert matches your privatekey — because both curl and openssl client paired … Read more

Can’t load /root/.rnd into RNG

August 19, 2023 by Tarik

Try removing or commenting RANDFILE = $ENV::HOME/.rnd line in /etc/ssl/openssl.cnf

Using Client certificates for Windows RT (windows 8.1/windows phone 8.1)

July 21, 2023 by Tarik

The problem could be related to the validity of the certificate that you are using it. By default .Net refuses to establish https connection with invalid or not trusted certificate. Usually the certificate is invalid because it is generate by a non-trusted authority (self signed certificate) or because the address of the site is not … Read more

Forget which client certificate is used by Chrome for an URL

July 20, 2023 by Tarik

Restarting the browser will help and ask you again. Looking forward to see better solutions.

HTTP error 403.16 – client certificate trust issue

May 19, 2023 by Tarik

Windows 2012 introduced stricter certificate store validations. According to KB 2795828: Lync Server 2013 Front-End service cannot start in Windows Server 2012, the Trusted Root Certification Authorities (i.e. Root) store can only have certificates that are self-signed. If that store contains non-self-signed certificates, client certificate authentication under IIS returns with a 403.16 error code. To … Read more

How to use a client certificate to authenticate and authorize in a Web API

February 24, 2023 by Tarik

Tracing helped me find what the problem was (Thank you Fabian for that suggestion). I found with further testing that I could get the client certificate to work on another server (Windows Server 2012). I was testing this on my development machine (Window 7) so I could debug this process. So by comparing the trace … Read more

IIS 7 Error “A specified logon session does not exist. It may already have been terminated.” when using https

January 21, 2023 by Tarik

I ran across this same issue, but fixed it a different way. I believe the account I was using changed from the time I initially attempted to set up the certificate to the time where I returned to finish the work, thus creating the issue. What the issue is, I don’t know, but I suspect … Read more

How to debug SSL handshake using cURL?

January 17, 2023 by Tarik

I have used this command to troubleshoot client certificate negotiation: openssl s_client -connect www.test.com:443 -prexit The output will probably contain “Acceptable client certificate CA names” and a list of CA certificates from the server, or possibly “No client certificate CA names sent”, if the server doesn’t always require client certificates.