javax.net.ssl.SSLHandshakeException: Received fatal alert: unsupported_certificate
I am receiving the error: javax.net.ssl.SSLHandshakeException: Received fatal alert: unsupported_certificate.
Background information:
ReadyAPI is configured for SSL using Certificate Store with "Use Windows Certificate Store" and Client authentication with "Requires client authentication".
Windows certificate store contains 4 valid certificates from a single smart card. All 4 certificates are from the same issuer. Each certificate has a set of "Intended Purpose". Examples:
Cert1 - PIV Authentication
Cert2 - Time Stamping, Server Auth, Client Auth, Secure Email
Cert3 - Secure Email
Cert4 - Client Authentication
The target webserver is prompting the client for a certificate from a list of authorities. All 4 certificates are valid based on the server requirements.
Problem:
ReadyAPI is correctly pulling all 4 client certificates from the Windows store. It properly matches them up to only get the ones that meet the requirements of the server. However, not all certificates have the proper intended purpose. The problem is that 4 certificates meet the server requirements and the client is not allowing the user to choose the certificate or match the certificate with the right "intended purpose". In addition, the client does not retry the other 3 certificates. As a result, the client is sending Cert3 (Secure Email) instead of sending Cert1.
Is there a way to force the client to choose the right certificate? Or is there a java option that will statically assign the certificate?
Here is a snippet from the client log with logging at a high level.
javax.net.ssl|DEBUG|05 C0|Thread-84|2020-10-28 14:45:38.494 CDT|CertificateRequest.java:653|Consuming CertificateRequest handshake message (
"CertificateRequest": {
"certificate types": [rsa_sign, dss_sign, ecdsa_sign]
"supported signature algorithms": [rsa_pkcs1_sha512, dsa_sha512, ecdsa_secp521r1_sha512, rsa_pkcs1_sha384, dsa_sha384, ecdsa_secp384r1_sha384, rsa_pkcs1_sha256, dsa_sha256, ecdsa_secp256r1_sha256, rsa_sha224, dsa_sha224, ecdsa_sha224, rsa_pkcs1_sha1, dsa_sha1, ecdsa_sha1]
"certificate authorities": [OU=ABC123, O=XYZ, C=XX, ...]
}
)
javax.net.ssl|DEBUG|05 C0|Thread-84|2020-10-28 14:45:38.498 CDT|SunX509KeyManagerImpl.java:401|matching alias: Cert2
javax.net.ssl|DEBUG|05 C0|Thread-84|2020-10-28 14:45:38.499 CDT|SunX509KeyManagerImpl.java:401|matching alias: Cert4
javax.net.ssl|DEBUG|05 C0|Thread-84|2020-10-28 14:45:38.499 CDT|SunX509KeyManagerImpl.java:401|matching alias: Cert3
javax.net.ssl|DEBUG|05 C0|Thread-84|2020-10-28 14:45:38.499 CDT|SunX509KeyManagerImpl.java:401|matching alias: Cert1
javax.net.ssl|DEBUG|05 C0|Thread-84|2020-10-28 14:45:38.499 CDT|ServerHelloDone.java:142|Consuming ServerHelloDone handshake message (
...
....
...
javax.net.ssl|ERROR|05 C0|Thread-84|2020-10-28 14:45:43.899 CDT|TransportContext.java:312|Fatal (UNSUPPORTED_CERTIFCATE): Received fatal alert: unsupported_certificate (
"throwable" : {
javax.net.ssl.SSLHandshakeException: Received fatal alert: unsupported_certificate
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:307)
at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:285)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:180)
