'Java TLS Socket certificate_unknown error

I'm writing a simple test case where I create a SSL context (from Bouncey Castle with CA certificate, client certificate, and private key) and from the context, I create a server socket and client socket.

I'm trying to send a simple message from client to server and get the following error.

"Received fatal alert: certificate_unknown"

I suspect it has to do with the way the environment is setup, but I'm not sure.

SSL Context is generated with the code below

  public static SSLContext getSSLContext(final String caCrtFile,
                                                   final String crtFile,
                                                   final String keyFile,
                                                   final String password)
   {
      try
      {

         /**
          * Add BouncyCastle as a Security Provider
          */
         Security.addProvider(new BouncyCastleProvider());

         JcaX509CertificateConverter certificateConverter =
               new JcaX509CertificateConverter().setProvider("BC");

         /**
          * Load Certificate Authority (CA) certificate
          */
         PEMParser reader = new PEMParser(new FileReader(caCrtFile));
         X509CertificateHolder caCertHolder =
               (X509CertificateHolder) reader.readObject();
         reader.close();

         X509Certificate caCert =
               certificateConverter.getCertificate(caCertHolder);

         /**
          * Load client certificate
          */
         reader = new PEMParser(new FileReader(crtFile));
         X509CertificateHolder certHolder =
               (X509CertificateHolder) reader.readObject();
         reader.close();

         X509Certificate cert = certificateConverter.getCertificate(certHolder);

         /**
          * Load client private key
          */
         reader = new PEMParser(new FileReader(keyFile));
         Object keyObject = reader.readObject();
         reader.close();

         PrivateKeyInfo key = (PrivateKeyInfo) keyObject;
         
         JcaPEMKeyConverter converter = new JcaPEMKeyConverter();
         

         /**
          * CA certificate is used to authenticate server
          */
         KeyStore caKeyStore = KeyStore.getInstance(KeyStore.getDefaultType());
         caKeyStore.load(null, null);
         caKeyStore.setCertificateEntry("ca-certificate", caCert);

         TrustManagerFactory trustManagerFactory =
               TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
         trustManagerFactory.init(caKeyStore);

         /**
          * Client key and certificates are sent to server so it can
          * authenticate the client
          */
         KeyStore clientKeyStore =
               KeyStore.getInstance(KeyStore.getDefaultType());
         clientKeyStore.load(null, null);
         clientKeyStore.setCertificateEntry("certificate", cert);
         clientKeyStore.setKeyEntry("private-key",
                                    converter.getPrivateKey(key),
                                    password.toCharArray(),
                                    new Certificate[]
                                    { cert });

         KeyManagerFactory keyManagerFactory =
               KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
         keyManagerFactory.init(clientKeyStore, password.toCharArray());

         /**
          * Create SSL socket factory
          */
         SSLContext context = SSLContext.getInstance("TLSv1.2");
         context.init(keyManagerFactory.getKeyManagers(),
                      trustManagerFactory.getTrustManagers(),
                      new SecureRandom());

         
         /**
          * Return the newly created socket factory object
          */
         return context;

      }
      catch (Exception e)
      {
         e.printStackTrace();
      }

      return null;
   }

Client Socket

public TLSClient(InetAddress serverHost,
                    int serverPort,
                    String tlsVersion,
                    String trustStoreName,
                    char[] trustStorePassword,
                    String keyStoreName,
                    char[] keyStorePassword) throws Exception
   {
      serverHost_ = serverHost;
      serverPort_ = serverPort;

      ctx_ = TLSServer.getSSLContext("root.crt.pem", trustStoreName, keyStoreName, "");
   }
   
   public void requestSend(String message) throws IOException
   {
      SocketFactory factory = ctx_.getSocketFactory();

      Socket connection = factory.createSocket(serverHost_, serverPort_);
      SSLParameters sslParams = new SSLParameters();
      sslParams.setEndpointIdentificationAlgorithm("HTTPS");
      ((SSLSocket) connection).setSSLParameters(sslParams);

      // NIO to be implemented
      while (true)
      {
         try
         {
            PrintWriter out =
                  new PrintWriter(connection.getOutputStream(), true);
            out.println(message);
         }
         catch (Exception e)
         {
            e.printStackTrace();
         }
      }

   }
   
   private InetAddress serverHost_;
   private int serverPort_;
   private SSLContext ctx_;

Server Socket

public TLSServer(int    port,
                    String tlsVersion,
                    String trustStoreName,
                    char[] trustStorePassword,
                    String keyStoreName,
                    char[] keyStorePassword)
         throws Exception
   {

      port_ = port;
      ctx_ = getSSLContext("root.crt.pem", trustStoreName, keyStoreName, "");

   }

   public String serveReceive() throws IOException
   {
      SSLServerSocketFactory factory = ctx_.getServerSocketFactory();
      try (ServerSocket listener = factory.createServerSocket(port_))
      {
         SSLServerSocket sslListener = (SSLServerSocket) listener;

         sslListener.setNeedClientAuth(true);

         // NIO to be implemented
         while (true)
         {
            try (Socket socket = sslListener.accept())
            {
               BufferedReader input =
                     new BufferedReader(new InputStreamReader(socket.getInputStream()));
               return input.readLine();
            }
            catch (Exception e)
            {
               e.printStackTrace();
            }
         }
      }

   }

   private int port_;
   private SSLContext ctx_;

Test Main

TLSServer server = new TLSServer(SERVER_PORT,
                                       TLS_VERSION,
                                       TRUST_STORE_NAME,
                                       TRUST_STORE_PWD,
                                       KEY_STORE_NAME,
                                       KEY_STORE_PWD);
      TLSClient client = new TLSClient(InetAddress.getByName(SERVER_HOST_NAME),
                                       SERVER_PORT,
                                       TLS_VERSION,
                                       TRUST_STORE_NAME,
                                       TRUST_STORE_PWD,
                                       KEY_STORE_NAME,
                                       KEY_STORE_PWD);

      Thread serverThread = new Thread(new Runnable()
      {

         @Override
         public void run()
         {
            try
            {
               String output = server.serveReceive();
               
               System.out.println("Received: " + output);
            }
            catch (Exception e)
            {
               e.printStackTrace();
            }
         }
      });
      serverThread.start();

      try
      {
         client.requestSend("Test1");
      }
      catch (Exception e)
      {
         e.printStackTrace();
         throw e;
      }

Root Certificate:

Certificate

Private Key

Solution 1:^[1]

The answer is super simple, on the client side, I have to call startHandshake

Solution 2:^[2]

I'm not shure if your answer is really the solutution. I ran your code with your certificates I get a completely different - but more expected No subject alternative names present exception.

Your root certificate looks O.K. (only the Basic Constraints CA:TRUE should be taged as critical) but the server certificate does not. The CN zero is invalid in this case.

$ openssl x509 -inform PEM -in root.crt.pem -text

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            a8:47:0e:fb:d2:05:91:ef
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CA, CN=root
        Validity
            Not Before: Jan 12 23:31:52 2022 GMT
            Not After : Jan 12 23:31:52 2023 GMT
        Subject: C=CA, CN=root
        Subject Public Key Info:
            ...
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                ...
            X509v3 Authority Key Identifier:
                ...
            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
        ...

$ openssl x509 -text -inform PEM -in test_0.crt.pem

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            ed:36:74:56:ff:cd:55:6d
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CA, CN=root
        Validity
            Not Before: Jan 12 23:31:53 2022 GMT
            Not After : Jan 12 23:31:53 2023 GMT
        Subject: C=CA, CN=zero
        Subject Public Key Info:
            ...
    Signature Algorithm: sha256WithRSAEncryption
        ...

A certificate without SAN extention must have the parameter CN (in the subject field) set to the DNS name of the (physical/virtual) host where it is installed on. I.e. in your testcase the CN should be localhost, on a server with the DNS name example.com the CN must be example.com. You can also set the IP address as CN parameter but be aware of the fact tha official Certification Authorities accept only CSR with domain names and reject those with IP addresses.

With SAN extention the CN parameter in the subject fiels can be uset more liberately as long as one SAN field has set DNS parameter with a value according to that said above. In this case you are also free to set one DNS parameter to servers DNS name and a second to it's IP address.

Which one (DNS name / IP address) to use depends on the URL you use to conect to your server. If the certificate has no enty which correlates to the URL the client uses to connect the server a hostname verification error occures.

Also the X509v3 Extended Key Usage: TLS Web Server Authentication should be set without critical tag to indicate/restrict the certificate usage.

Comming back to the initial reason of your question, the certificate_unknown error.

This error occures if the provided end entity (client/server) certificate is unknown and/or no valid trust path back to a root certificate can be build. In practise this means that the required root certificate is not available in the truststore of the complaining party (server/client).

With the given code, certificates and information I can't see any reason for that exception and wouldn't expect it either. Maybe it was a temporary misconfiguration while trying to get it running.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution	Source
Solution 1	Jack Zhang
Solution 2

'Java TLS Socket certificate_unknown error

Solution 1:[1]

Solution 2:[2]

Sources

Related Questions

Solution 1:^[1]

Solution 2:^[2]