HTTP Rest Client with Client Certificate, How to configure JDK / Truststore?

Answered

Created April 22, 2021 14:06

Hello

I've tried using a client certificate and the HTTP Client in IDEA 2021.1 as mentioned in the "Whats new" Section: https://www.jetbrains.com/idea/whatsnew/ ("SSL support in the HTTP client")

I've created a private environment file:

{
  "preprod": {
    "prof_url": "https://portal.url/rest/api/get/stuff",

    "SSLConfiguration": {
      "hasCertificatePassphrase": true,
      "clientCertificate": {
        "format": "PEM",
        "path": "C:/some/folder/cert.pem"
      },
      "verifyHostCertificate": false
    }
  }
}

When I try to execute a GET request the HTTP Client shows:

javax.net.ssl.SSLHandshakeException: Received fatal alert: decrypt_error

I assume this is caused by the In-House Root CA. Which is part of our JDK Installation (that contains the companys truststore).

But I can't figure out how to add the Truststore of the Project JDK to the HTTP Client or how to make it use that JDK - or how to configure the HTTP Clients Truststore.

Is there a hint somewhere I missed?

6 comments

Petr Rastegaev

Created April 23, 2021 14:59

Hi, The answer is no. Currently, there is no way to provide part of the certificate chain from the JDK keystore. I've created a ticket for this case: https://youtrack.jetbrains.com/issue/IDEA-267845
But, as workaround I can suggest to add In-House Root CA to the end of C:/some/folder/cert.pem(in other words provide full chain) and it should work since 2021.1.1 (there is bug in 2021.1)

Werner Müller

Created April 25, 2021 12:04

Hello

Thanks for the reply! I fiddled around a bit more.

It is possible to add the company root certificates into settings (Tools - Server Certificates). This seems to be used by the HTTP Client as well.

I had no luck using the .pem certificates. Not sure why. I used the Apache Commons HTTP Client to verify the certificate and password had a chance of working at all.

The original certificate is in .pfx format, and after converting it into .pem and from there into .p12 format the HTTP Client in IntelliJ works!

openssl pkcs12 -in my_aes_cert.pfx -out my_cert.pem -nodes
openssl pkcs12 -export -inkey my_cert.pem -in my_cert.pem -out my_cert.p12

the SSL configuration above now looks like:

"SSLConfiguration": {
  "hasCertificatePassphrase": true,
  "clientCertificate": {
    "format": "P12",
    "path": "C:/some/folder/my_cert.p12"
  },
  "verifyHostCertificate": false
}

So I could get it working :-)

Thanks for your input!

Thomas Straley

Created December 12, 2023 16:06

I have two questions. First, the “private environment file” that is mentioned - is that http-client.env.json? So, did you add an “SSLConfiguration” section to that file? Second, both examples have "hasCertificatePassphrase": true, Is there also a “passphrase” attribute? Where does it go?

Werner Müller

Created December 12, 2023 18:32

hello

no the http-client.env file is the public file. the private one would have a private in its name. I usually create them via the UI:

So yes, the contents above reflects that private file - so it has an SSLConfiguration section.

the passphrase is set in a dialog when you click on hasCertificatePassphrase. The instructions are there: https://www.jetbrains.com/help/idea/http-client-in-product-code-editor.html#ssl_certificate but its easy to miss.

Thomas Straley

Created December 13, 2023 15:29

Thank you! I'll give it a shot!

Thomas Straley

Created December 14, 2023 14:58

Thank you! That worked! The one thing I would say to someone else who might be reading this is: when you create the private environment file, the SSLConfiguration block cannot stand alone, it must be included inside an environment, like “preprod” in the topmost code block.

Please sign in to leave a comment.