cancel
Showing results for 
Search instead for 
Did you mean: 

SSL Keystore not initialized when it contains only CA certs (no private keys).

Occasional Visitor

SSL Keystore not initialized when it contains only CA certs (no private keys).

Hi All,

 

We're using SoapUI 5.4.0 (open source) and we noticed an issue today. We're making a Soap/HTTPS call to one of our vendors, and expect to validate the vendor SSL certificate using a CA chain (root and intermediate certs) which are stored in our keystore.jks.

 

When we try this we get the following error:

Wed Nov 07 12:56:43 GMT 2018:INFO:Initializing Keystore from [D:\temp\ESBkeystore.jks]
Wed Nov 07 12:56:43 GMT 2018:ERROR:An error occurred [No private keys found in keystore!], see error log for details
Wed Nov 07 12:56:43 GMT 2018:ERROR:An error occurred [Uninitialized keystore], see error log for details
Wed Nov 07 12:56:43 GMT 2018Smiley Very HappyEBUG:Attempt 1 to execute request
Wed Nov 07 12:56:43 GMT 2018Smiley Very HappyEBUGSmiley Frustratedending request: POST /catalyst5/services/CRTCreditScore HTTP/1.1
Wed Nov 07 12:56:43 GMT 2018Smiley Very HappyEBUG:I/O error closing connection
   javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

...

...

...
Wed Nov 07 12:56:43 GMT 2018:INFO:Error getting response for [CRTCreditScoreSoapBinding.CRTCreditScoreUpdateRequest:Request 1]; javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

 

The problem is that SoapUI has not initialized the keystore, because it doesn't contain any private keys. The subsequent attempt to authenticate our vendor's SSL certificate then fails because the keystore is not initialized so the CA root and intermediate certs are not available.

 

To test this I generated a dummy pub/priv keypair and added it to my keystore.jks that SoapUI uses. When I repeated the test, SoapUI now initialises the keystore correctly and goes on to authenticate the server SSL cert without any issue.

 

My problem here is that we do not have any private keys to insert into the keystore - and it seems perfectly valid to me that a keystore may only contain CA certs for validating external server SSL certificates.

Why does SoapUI appear to require a keystore to contain a private key - is this a bug?

 

The only reference I could find to this issue was another question raised on this forum several years ago - but it did not result in any answer, and it refers to a version of SoapUI which is now exstremely out of date:

 

https://community.smartbear.com/t5/SoapUI-Open-Source/WS-SECURITY-ENCRYPTION-Without-private-key/td-...

 

If someone from SmartBear could advise if this is a known issue/bug and if so what the workaround is that would be great,

 

Regards,

Steve

 

 

1 REPLY 1
Occasional Contributor

Re: SSL Keystore not initialized when it contains only CA certs (no private keys).

Facing the same and i am need of help asap. Anyone with solutions or help. Thanks in advance.

 

Regards,

Shane.

New Here?
Join us and watch the welcome video:
Join the exciting event
SeptemberHubBub
Top Kudoed Authors
Join the September Hub-bub to show off, learn and win