"org.apache.commons.ssl.Ping" contains a main method to help you diagnose SSL issues. It's modeled on OpenSSL's very handy "s_client" utility. We've been very careful to make sure "org.apache.commons.ssl.Ping" can execute without any additional jar files on the classpath (except if using Java 1.3 - then you'll need jsse.jar).

"Ping" Utility Attempts "HEAD / HTTP/1.1" Request
This utility is very handy because it can get you the server's public
certificate even if your client certificate is bad (so even though the SSL
handshake fails).  And unlike "openssl s_client", this utility can bind
against any IP address available.

Usage:  java -jar not-yet-commons-ssl-0.3.9.jar [options]
Version 0.3.9      compiled=[PST:2007-11-14/14:42:18.000]
Options:   (*=required)
*  -t  --target           [hostname[:port]]              default port=443
   -b  --bind             [hostname[:port]]              default port=0 "ANY"
   -r  --proxy            [hostname[:port]]              default port=80
   -tm --trust-cert       [path to trust material]       {pem, der, crt, jks}
   -km --client-cert      [path to client's private key] {jks, pkcs12, pkcs8}
   -cc --cert-chain       [path to client's cert chain for pkcs8/OpenSSL key]
   -p  --password         [client cert password]
   -h  --host-header      [http-host-header]      in case -t is an IP address
   -u  --path             [path for GET/HEAD request]    default=/
   -m  --method           [http method to use]           default=HEAD


java -jar not-yet-commons-ssl.jar -t -c ./client.pfx -p `cat ./pass.txt`

Apparently Java 6.0 includes support for grabbing passwords from standard-in without echoing the typed characters. Would be nice to use that feature when it's available, instead of requiring the password to be specified as a command-line argument.


org.apache.commons.ssl.KeyStoreBuilder is able to convert OpenSSL style public/private keys into Java KeyStore files. It can also convert Java Keystore files into the PEM format that Apache likes.

java -cp not-yet-commons-ssl-0.3.9.jar org.apache.commons.ssl.KeyStoreBuilder

KeyStoreBuilder converts PKCS12 and PKCS8 to Java "Keystore"

KeyStoreBuilder:  creates '[alias].jks' (Java Key Store)
    -topk8 mode:  creates '[alias].pem' (x509 chain + unencrypted pkcs8)
[alias] will be set to the first CN value of the X509 certificate.
Usage1: [password] [file:pkcs12]
Usage2: [password] [file:private-key] [file:certificate-chain]
Usage3: -topk8 [password] [file:jks]
[private-key] can be openssl format, or pkcs8.
[password] decrypts [private-key], and also encrypts outputted JKS file.
All files can be PEM or DER.