SSL Keystore not initialized when it contains only CA certs (no private keys).
Hi All,
We're using SoapUI 5.4.0 (open source) and we noticed an issue today. We're making a Soap/HTTPS call to one of our vendors, and expect to validate the vendor SSL certificate using a CA chain (root and intermediate certs) which are stored in our keystore.jks.
When we try this we get the following error:
Wed Nov 07 12:56:43 GMT 2018:INFO:Initializing Keystore from [D:\temp\ESBkeystore.jks]
Wed Nov 07 12:56:43 GMT 2018:ERROR:An error occurred [No private keys found in keystore!], see error log for details
Wed Nov 07 12:56:43 GMT 2018:ERROR:An error occurred [Uninitialized keystore], see error log for details
Wed Nov 07 12:56:43 GMT 2018:DEBUG:Attempt 1 to execute request
Wed Nov 07 12:56:43 GMT 2018:DEBUG:Sending request: POST /catalyst5/services/CRTCreditScore HTTP/1.1
Wed Nov 07 12:56:43 GMT 2018:DEBUG:I/O error closing connection
javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...
...
...
Wed Nov 07 12:56:43 GMT 2018:INFO:Error getting response for [CRTCreditScoreSoapBinding.CRTCreditScoreUpdateRequest:Request 1]; javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
The problem is that SoapUI has not initialized the keystore, because it doesn't contain any private keys. The subsequent attempt to authenticate our vendor's SSL certificate then fails because the keystore is not initialized so the CA root and intermediate certs are not available.
To test this I generated a dummy pub/priv keypair and added it to my keystore.jks that SoapUI uses. When I repeated the test, SoapUI now initialises the keystore correctly and goes on to authenticate the server SSL cert without any issue.
My problem here is that we do not have any private keys to insert into the keystore - and it seems perfectly valid to me that a keystore may only contain CA certs for validating external server SSL certificates.
Why does SoapUI appear to require a keystore to contain a private key - is this a bug?
The only reference I could find to this issue was another question raised on this forum several years ago - but it did not result in any answer, and it refers to a version of SoapUI which is now exstremely out of date:
If someone from SmartBear could advise if this is a known issue/bug and if so what the workaround is that would be great,
Regards,
Steve
