DISCLAIMER: HttpClient developers DO NOT actively support this component.
The component is provided as a reference material, which may be inappropriate
to be used without additional custom
AuthSSLProtocolSocketFactory can be used to validate the identity of the HTTPS
server against a list of trusted certificates and to authenticate to the HTTPS
server using a private key.
AuthSSLProtocolSocketFactory will enable server authentication when supplied with
a truststore file containg one or several trusted certificates.
The client secure socket will reject the connection during the SSL session handshake
if the target HTTPS server attempts to authenticate itself with a non-trusted
certificate.
Use JDK keytool utility to import a trusted certificate and generate a truststore file:
keytool -import -alias "my server cert" -file server.crt -keystore my.truststore
AuthSSLProtocolSocketFactory will enable client authentication when supplied with
a keystore file containg a private key/public certificate pair.
The client secure socket will use the private key to authenticate itself to the target
HTTPS server during the SSL session handshake if requested to do so by the server.
The target HTTPS server will in its turn verify the certificate presented by the client
in order to establish client's authenticity
Use the following sequence of actions to generate a keystore file
For simplicity use the same password for the key as that of the keystore
Issue a certificate signing request (CSR)
keytool -certreq -alias "my client key" -file mycertreq.csr -keystore my.keystore
Send the certificate request to the trusted Certificate Authority for signature.
One may choose to act as her own CA and sign the certificate request using a PKI
tool, such as OpenSSL.
Import the trusted CA root certificate
keytool -import -alias "my trusted ca" -file caroot.crt -keystore my.keystore
Import the PKCS#7 file containg the complete certificate chain
keytool -import -alias "my client key" -file mycert.p7 -keystore my.keystore
Verify the content the resultant keystore file
keytool -list -v -keystore my.keystore
Example of using custom protocol socket factory for a specific host:
Protocol authhttps = new Protocol("https",
new AuthSSLProtocolSocketFactory(
new URL("file:my.keystore"), "mypassword",
new URL("file:my.truststore"), "mypassword"), 443);
HttpClient client = new HttpClient();
client.getHostConfiguration().setHost("localhost", 443, authhttps);
// use relative url only
GetMethod httpget = new GetMethod("/");
client.executeMethod(httpget);
Example of using custom protocol socket factory per default instead of the standard one:
Protocol authhttps = new Protocol("https",
new AuthSSLProtocolSocketFactory(
new URL("file:my.keystore"), "mypassword",
new URL("file:my.truststore"), "mypassword"), 443);
Protocol.registerProtocol("https", authhttps);
HttpClient client = new HttpClient();
GetMethod httpget = new GetMethod("https://localhost/");
client.executeMethod(httpget);
AuthSSLProtocolSocketFactory can be used to validate the identity of the HTTPS server against a list of trusted certificates and to authenticate to the HTTPS server using a private key.
AuthSSLProtocolSocketFactory will enable server authentication when supplied with a truststore file containg one or several trusted certificates. The client secure socket will reject the connection during the SSL session handshake if the target HTTPS server attempts to authenticate itself with a non-trusted certificate.
Use JDK keytool utility to import a trusted certificate and generate a truststore file:
keytool -import -alias "my server cert" -file server.crt -keystore my.truststoreAuthSSLProtocolSocketFactory will enable client authentication when supplied with a keystore file containg a private key/public certificate pair. The client secure socket will use the private key to authenticate itself to the target HTTPS server during the SSL session handshake if requested to do so by the server. The target HTTPS server will in its turn verify the certificate presented by the client in order to establish client's authenticity
Use the following sequence of actions to generate a keystore file
Use JDK keytool utility to generate a new key
For simplicity use the same password for the key as that of the keystoreIssue a certificate signing request (CSR)
Send the certificate request to the trusted Certificate Authority for signature. One may choose to act as her own CA and sign the certificate request using a PKI tool, such as OpenSSL.
Import the trusted CA root certificate
Import the PKCS#7 file containg the complete certificate chain
Verify the content the resultant keystore file
Example of using custom protocol socket factory for a specific host:
Protocol authhttps = new Protocol("https", new AuthSSLProtocolSocketFactory( new URL("file:my.keystore"), "mypassword", new URL("file:my.truststore"), "mypassword"), 443); HttpClient client = new HttpClient(); client.getHostConfiguration().setHost("localhost", 443, authhttps); // use relative url only GetMethod httpget = new GetMethod("/"); client.executeMethod(httpget);Example of using custom protocol socket factory per default instead of the standard one:
Protocol authhttps = new Protocol("https", new AuthSSLProtocolSocketFactory( new URL("file:my.keystore"), "mypassword", new URL("file:my.truststore"), "mypassword"), 443); Protocol.registerProtocol("https", authhttps); HttpClient client = new HttpClient(); GetMethod httpget = new GetMethod("https://localhost/"); client.executeMethod(httpget);