In the course of using Client certificates for authentication, I decided to use not-yet-commons-ssl-0.3.11.jar. That has resulted in another issue – the simple act of invoking the constructor on EasySSLProtocolSocketFactory or StrictSSLProtocolSocketFactory will produce an exception.

The code, as isolated in a simple cmd line app:

public class CertTest {

public static void main(String[] args) {

    System.setProperty("javax.net.debug", "ssl,handshake"); // SSL DEBUG INFO
    String keystore = "/usr/java/jdk1.6.0_11/jre/lib/security/cacerts";
    String keystorePassword = "changeit";

System.setProperty("javax.net.ssl.keyStore", keystore);
System.setProperty("javax.net.ssl.keyStorePassword", keystorePassword);
//        System.setProperty("javax.net.ssl.trustStore", keystore);
//        System.setProperty("javax.net.ssl.trustStorePassword", keystorePassword);

    try {
        org.apache.commons.httpclient.contrib.ssl.EasySSLProtocolSocketFactory factory = 
            new     org.apache.commons.httpclient.contrib.ssl.EasySSLProtocolSocketFactory();
    catch (Exception e) {
        System.out.println (e);


To isolate issues with older libs, I put the above code in a directory with these jars (these are the ONLY jars in the classpath):

  1. httpclient-4.0.1.jar
  2. not-yet-commons-ssl-0.3.11.jar
  3. commons-httpclient-3.1.jar
  4. httpcore-4.0.1.jar

So, with some client certificates in the cacerts keystore, I get:
org.apache.commons.ssl.ProbablyBadPasswordException: Probably bad JKS-Key password: java.security.UnrecoverableKeyException: Password must not be null

If I use keytool to delete all the client certificates that I have loaded, then the exception changes to

**Caused by: java.security.KeyStoreException: No private keys found in keystore!**
at org.apache.commons.ssl.KeyStoreBuilder.validate(KeyStoreBuilder.java:269)
at org.apache.commons.ssl.KeyStoreBuilder.build(KeyStoreBuilder.java:129)
at org.apache.commons.ssl.KeyMaterial.(KeyMaterial.java:179)
at org.apache.commons.ssl.KeyMaterial.(KeyMaterial.java:170)
at org.apache.commons.ssl.KeyMaterial.(KeyMaterial.java:160)
at org.apache.commons.ssl.KeyMaterial.(KeyMaterial.java:64)
at org.apache.commons.ssl.KeyMaterial.(KeyMaterial.java:114)
at org.apache.commons.ssl.KeyMaterial.(KeyMaterial.java:89)
at org.apache.commons.ssl.SSL.(SSL.java:142)
at org.apache.commons.ssl.SSLClient.(SSLClient.java:59)
at org.apache.commons.ssl.HttpSecureProtocol.(HttpSecureProtocol.java:55)
at org.apache.commons.httpclient.contrib.ssl.EasySSLProtocolSocketFactory.(EasySSLProtocolSocketFactory.java:94)

Snippets in the output:

keyStore is : /usr/java/jdk1.6.0_11/jre/lib/security/cacerts
keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
trustStore is: /usr/java/jdk1.6.0_11/jre/lib/security/cacerts
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
Subject: CN=SwissSign Platinum CA – G2, O=SwissSign AG, C=CH
Issuer: CN=SwissSign Platinum CA – G2, O=SwissSign AG, C=CH
Algorithm: RSA; Serial number: 0x4eb200670c035d4f

whole bunch of default trusted certs snipped here…

trigger seeding of SecureRandom
done seeding SecureRandom
@@@@@@@@@@ EXCEPTION
java.security.KeyStoreException: No private keys found in keystore!

Any ideas?