HTTP Rest Client with Client Certificate, How to configure JDK / Truststore?
已回答
Hello
I've tried using a client certificate and the HTTP Client in IDEA 2021.1 as mentioned in the "Whats new" Section: https://www.jetbrains.com/idea/whatsnew/ ("SSL support in the HTTP client")
I've created a private environment file:
{
"preprod": {
"prof_url": "https://portal.url/rest/api/get/stuff",
"SSLConfiguration": {
"hasCertificatePassphrase": true,
"clientCertificate": {
"format": "PEM",
"path": "C:/some/folder/cert.pem"
},
"verifyHostCertificate": false
}
}
}
When I try to execute a GET request the HTTP Client shows:
javax.net.ssl.SSLHandshakeException: Received fatal alert: decrypt_error
I assume this is caused by the In-House Root CA. Which is part of our JDK Installation (that contains the companys truststore).
But I can't figure out how to add the Truststore of the Project JDK to the HTTP Client or how to make it use that JDK - or how to configure the HTTP Clients Truststore.
Is there a hint somewhere I missed?
请先登录再写评论。
Hi, The answer is no. Currently, there is no way to provide part of the certificate chain from the JDK keystore. I've created a ticket for this case: https://youtrack.jetbrains.com/issue/IDEA-267845
But, as workaround I can suggest to add
In-House Root CAto the end ofC:/some/folder/cert.pem(in other words provide full chain) and it should work since 2021.1.1 (there is bug in 2021.1)Hello
Thanks for the reply! I fiddled around a bit more.
It is possible to add the company root certificates into settings (Tools - Server Certificates). This seems to be used by the HTTP Client as well.
I had no luck using the .pem certificates. Not sure why. I used the Apache Commons HTTP Client to verify the certificate and password had a chance of working at all.
The original certificate is in .pfx format, and after converting it into .pem and from there into .p12 format the HTTP Client in IntelliJ works!
the SSL configuration above now looks like:
"SSLConfiguration": {"hasCertificatePassphrase": true,
"clientCertificate": {
"format": "P12",
"path": "C:/some/folder/my_cert.p12"
},
"verifyHostCertificate": false
}
So I could get it working :-)
Thanks for your input!
I have two questions. First, the “private environment file” that is mentioned - is that http-client.env.json? So, did you add an “SSLConfiguration” section to that file? Second, both examples have "hasCertificatePassphrase": true, Is there also a “passphrase” attribute? Where does it go?
hello
no the http-client.env file is the public file. the private one would have a private in its name. I usually create them via the UI:
So yes, the contents above reflects that private file - so it has an SSLConfiguration section.
the passphrase is set in a dialog when you click on hasCertificatePassphrase. The instructions are there: https://www.jetbrains.com/help/idea/http-client-in-product-code-editor.html#ssl_certificate but its easy to miss.
Thank you! I'll give it a shot!
Thank you! That worked! The one thing I would say to someone else who might be reading this is: when you create the private environment file, the SSLConfiguration block cannot stand alone, it must be included inside an environment, like “preprod” in the topmost code block.