While developing a webservice based application we ran across some issues using a self signed certificate. After running our wsdl2java ant task we got the following error using Java 1.4:
sun.security.validator.ValidatorException: No trusted certificate found
Using Java 1.5 the error looks like this:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested targ
Fair enough. Java is telling us we need to import our self signed certificate into java:
/usr/local/java5/bin/keytool -import -alias mycert \\
-file server.crt -keystore /usr/local/java5/jre/lib/security/cacerts
Enter keystore password: changeit
... CERTIFICATE DUMP ...
Trust this certificate? [no]: yes
Certificate was added to keystore
Running our ant task again:
java.io.IOException: HTTPS hostname wrong: should be <localhost>
at sun.net.www.protocol.https.HttpsClient.checkURLSpoofing(HttpsClient.java:490)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:415)
...LONG STACK TRACE TRUNCATED....
This was a little more esoteric error. Doing a quick Google search most people suggest using a ‘Dummy’ HostnameVerifier.
Not really wanting to crack open the wsdl2java source, we made a certificate construction solution. The key is when you generate the CSR you should make the Common Name (CN) = your host. In our case localhost:
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:KY
Locality Name (eg, city) []:Louisville
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Mission Data
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:localhost
Email Address []:test@example.com
After reimporting the new certificate into java, the host verifier was happy and we were ready to move on….