Develop Reference

Secure Sockets in Java without CA [duplicate]

A module I'm adding to our large Java application has to converse with another company's SSL-secured website. The problem is that the site uses a self-signed certificate. I have a copy of the certificate to verify that I'm not encountering a man-in-the-middle attack, and I need to incorporate this certificate into our code in such a way that the connection to the server will be successful.
Here's the basic code:
void sendRequest(String dataPacket) {
String urlStr = "https://host.example.com/";
URL url = new URL(urlStr);
HttpURLConnection conn = (HttpURLConnection)url.openConnection();
conn.setMethod("POST");
conn.setRequestProperty("Content-Length", data.length());
conn.setDoOutput(true);
OutputStreamWriter o = new OutputStreamWriter(conn.getOutputStream());
o.write(data);
o.flush();
}
Without any additional handling in place for the self-signed certificate, this dies at conn.getOutputStream() with the following exception:
Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
....
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
....
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Ideally, my code needs to teach Java to accept this one self-signed certificate, for this one spot in the application, and nowhere else.
I know that I can import the certificate into the JRE's certificate authority store, and that will allow Java to accept it. That's not an approach I want to take if I can help; it seems very invasive to do on all of our customer's machines for one module they may not use; it would affect all other Java applications using the same JRE, and I don't like that even though the odds of any other Java application ever accessing this site are nil. It's also not a trivial operation: on UNIX I have to obtain access rights to modify the JRE in this way.
I've also seen that I can create a TrustManager instance that does some custom checking. It looks like I might even be able to create a TrustManager that delegates to the real TrustManager in all instances except this one certificate. But it looks like that TrustManager gets installed globally, and I presume would affect all other connections from our application, and that doesn't smell quite right to me, either.
What is the preferred, standard, or best way to set up a Java application to accept a self-signed certificate? Can I accomplish all of the goals I have in mind above, or am I going to have to compromise? Is there an option involving files and directories and configuration settings, and little-to-no code?

Create an SSLSocket factory yourself, and set it on the HttpsURLConnection before connecting.
...
HttpsURLConnection conn = (HttpsURLConnection)url.openConnection();
conn.setSSLSocketFactory(sslFactory);
conn.setMethod("POST");
...
You'll want to create one SSLSocketFactory and keep it around. Here's a sketch of how to initialize it:
/* Load the keyStore that includes self-signed cert as a "trusted" entry. */
KeyStore keyStore = ...
TrustManagerFactory tmf =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(keyStore);
SSLContext ctx = SSLContext.getInstance("TLS");
ctx.init(null, tmf.getTrustManagers(), null);
sslFactory = ctx.getSocketFactory();
If you need help creating the key store, please comment.
Here's an example of loading the key store:
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(trustStore, trustStorePassword);
trustStore.close();
To create the key store with a PEM format certificate, you can write your own code using CertificateFactory, or just import it with keytool from the JDK (keytool won't work for a "key entry", but is just fine for a "trusted entry").
keytool -import -file selfsigned.pem -alias server -keystore server.jks

I read through LOTS of places online to solve this thing.
This is the code I wrote to make it work:
ByteArrayInputStream derInputStream = new ByteArrayInputStream(app.certificateString.getBytes());
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
X509Certificate cert = (X509Certificate) certificateFactory.generateCertificate(derInputStream);
String alias = "alias";//cert.getSubjectX500Principal().getName();
KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
trustStore.load(null);
trustStore.setCertificateEntry(alias, cert);
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(trustStore, null);
KeyManager[] keyManagers = kmf.getKeyManagers();
TrustManagerFactory tmf = TrustManagerFactory.getInstance("X509");
tmf.init(trustStore);
TrustManager[] trustManagers = tmf.getTrustManagers();
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(keyManagers, trustManagers, null);
URL url = new URL(someURL);
conn = (HttpsURLConnection) url.openConnection();
conn.setSSLSocketFactory(sslContext.getSocketFactory());
app.certificateString is a String that contains the Certificate, for example:
static public String certificateString=
"-----BEGIN CERTIFICATE-----\n" +
"MIIGQTCCBSmgAwIBAgIHBcg1dAivUzANBgkqhkiG9w0BAQsFADCBjDELMAkGA1UE" +
"BhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBE" +
... a bunch of characters...
"5126sfeEJMRV4Fl2E5W1gDHoOd6V==\n" +
"-----END CERTIFICATE-----";
I have tested that you can put any characters in the certificate string, if it is self signed, as long as you keep the exact structure above. I obtained the certificate string with my laptop's Terminal command line.

If creating a SSLSocketFactory is not an option, just import the key into the JVM
Retrieve the public key:
$openssl s_client -connect dev-server:443, then create a file dev-server.pem that looks like
-----BEGIN CERTIFICATE-----
lklkkkllklklklklllkllklkl
lklkkkllklklklklllkllklkl
lklkkkllklk....
-----END CERTIFICATE-----
Import the key: #keytool -import -alias dev-server -keystore $JAVA_HOME/jre/lib/security/cacerts -file dev-server.pem.
Password: changeit
Restart JVM
Source: How to solve javax.net.ssl.SSLHandshakeException?

We copy the JRE's truststore and add our custom certificates to that truststore, then tell the application to use the custom truststore with a system property. This way we leave the default JRE truststore alone.
The downside is that when you update the JRE you don't get its new truststore automatically merged with your custom one.
You could maybe handle this scenario by having an installer or startup routine that verifies the truststore/jdk and checks for a mismatch or automatically updates the truststore. I don't know what happens if you update the truststore while the application is running.
This solution isn't 100% elegant or foolproof but it's simple, works, and requires no code.

I've had to do something like this when using commons-httpclient to access an internal https server with a self-signed certificate. Yes, our solution was to create a custom TrustManager that simply passed everything (logging a debug message).
This comes down to having our own SSLSocketFactory that creates SSL sockets from our local SSLContext, which is set up to have only our local TrustManager associated with it. You don't need to go near a keystore/certstore at all.
So this is in our LocalSSLSocketFactory:
static {
try {
SSL_CONTEXT = SSLContext.getInstance("SSL");
SSL_CONTEXT.init(null, new TrustManager[] { new LocalSSLTrustManager() }, null);
} catch (NoSuchAlgorithmException e) {
throw new RuntimeException("Unable to initialise SSL context", e);
} catch (KeyManagementException e) {
throw new RuntimeException("Unable to initialise SSL context", e);
}
}
public Socket createSocket(String host, int port) throws IOException, UnknownHostException {
LOG.trace("createSocket(host => {}, port => {})", new Object[] { host, new Integer(port) });
return SSL_CONTEXT.getSocketFactory().createSocket(host, port);
}
Along with other methods implementing SecureProtocolSocketFactory. LocalSSLTrustManager is the aforementioned dummy trust manager implementation.

How to specify a certificate alias for a ResteasyClient/HttpClient keystore?

I'm looking at the docs for the ResteasyClientBuilder, in which there is the ability to specify a client keystore for 2-way SSL handshaking/authentication.
There is a method keystore() to specify the keystore (path + keystore password) as well as the private key for the client certificate. However, how do I specify the alias of the key that I want to use?
Given the the ResteasyClient leverages the HttpClient, I see the same issue in Apache's SSLSocketFactory constructors.
Is there anyway to specify an alias in either framework? Does this client keystore need to have only a single certificate pair? I don't see any options to specify an alias anywhere.

You can specify the alias to use by supplying a PrivateKeyStrategy to an SSLContextBuilder if you can use Apache HttpComponents.
private SSLContext createContext(String keyStorePath, String keyStorePassword, String privateKeyAlias) {
final char[] password = keyStorePassword.toCharArray();
// This keyStore could also come from `file.toURI().toURL();`
final URL keyStore = Application.class.getClassLoader().getResource(keyStorePath);
return SSLContextBuilder.create()
.loadKeyMaterial(keyStore, password, password, (aliases, socket) -> privateKeyAlias)
.loadTrustMaterial(keyStore, password)
.build();
}
If you need to use the context to connect to multiple end points, you can change the function (alias, socket) -> "aliasToUse" to suit your needs.

Java Rest Client using self-signed Certificate

Hello I'm trying to write a little Rest client which accesses our Cloud server (Rest Webservices). The connection is secured with a SSL Client Certificate which if I understand correctly is not signedby any Certification Authority, and am having problems.
I know that the certificate works fine as I can use this in other programming languages (e.g. C#, PHP, etc), and also because I am testing the API using Postman, however I cannot really understand how to do this in Java.
I have tried using the P12 certificate file, and I also have .key and .crt files, but still nothing changed. The .JKS file I have created using keytool.exe, and I presume it is correct (as far as I could understand).
This is the code I am using :
String keyPassphrase = certPwd;
KeyStore keyStore = KeyStore.getInstance("JKS");
keyStore.load(new FileInputStream("C:\\Test\\Certificate\\idscertificate.jks"), keyPassphrase.toCharArray());
SSLContext sslContext = SSLContexts.custom()
.loadKeyMaterial(keyStore, certPwd.toCharArray())
.build();
HttpClient httpClient = HttpClients.custom().setSslcontext(sslContext).build();
HttpResponse response = httpClient.execute(new HttpGet(
"https://url_that_I_am_using_to_call_my_rest_web_service"));
but every time I launch this I get an error:
"unable to find valid certification path to requested target".
As far as I could see this is because I don't have a Certification Authority to specify, am I correct?
Can anyone help me with this?
Thank you all for your help
Tommaso
/*******************
This is how I imported the P12 into the Keystore. I tried different ways, the last one i tried was:
First created the JKS:
keytool -genkey -alias myName -keystore c:\Test\Certificate\mykeystoreName.jks
then "cleaned up with:
keytool -delete -alias myName -keystore c:\Test\Certificate\myKeystoreName.jks
then imported the P12 file with:
keytool -v -importkeystore -srckeystore c:\Test\Certificate\idscertificate.p12 -srcstoretype PKCS12 -destkeystore c:\Test\Certificate\myKeystoreName.jks -deststoretype JKS
Result obtained:
Entry for alias idsclientcertificate successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
and if I check the content of the keystore I find my imported certificate.
Nevertheless I still get the same error.
Thank you for your help.
/****************************Update February 8th *******************
Ok I tried everything, but really everything and now slowly giving up... the situation is the following:
using the following code so far:
SSLContextBuilder sslContext = new SSLContextBuilder();
sslContext.loadKeyMaterial(readKeyStore(), userPwd.toCharArray());
//sslContext.loadTrustMaterial(readKeyStore(), new TrustSelfSignedStrategy());
SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(
sslContext.build());
CloseableHttpClient client = HttpClients.custom()
.setSSLSocketFactory(sslsf)
.setSSLHostnameVerifier(new NoopHostnameVerifier())
.build();
HttpGet httpGet = new HttpGet("https://myhost.com/myrest/status");
httpGet.addHeader("Accept", "application/json;charset=UTF8");
httpGet.addHeader("Cookie", "sessionids=INeedThis");
String encoded = Base64.getEncoder().encodeToString((userName+":"+userPwd).getBytes(StandardCharsets.UTF_8));
httpGet.addHeader("Authorization", "Basic "+encoded);
httpGet.addHeader("Cache-Control", "no-cache");
HttpResponse response = client.execute(httpGet);
Unfortunately still not working. I tried the following: - include my certificate in the default java cacerts, - specify the alias as my host name, - create a new jks, - load the p12 file, still nothing, same error.
Error Message I get is:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
If I don't use a certificate, I get another error indicating that the certificate is missing therefore the certificate is loaded (also I see it in my IDE).
If I use the exact same certificate file from another platform (c# or using a browser) I get the correct response and object (therefore the certificate/password are valid)
Is there any way that I can stop the validation of the certification path?

first of all thank you all for your help. I finally got it to work following these steps:
1 - I determined my root CA Cert using command:
openssl s_client -showcerts -connect my.root.url.com:443
then I imported this certificate using Portecle.exe (https://sourceforge.net/projects/portecle/) but you can also import it using the normal keytool command, into my default Java Keystore (jre/lib/security/cacerts)
--> Make sure you assign the root URL as Alias (e.g. *.google.com if you would connect to a google API). This seems to be very important.
Then I used the following code:
First created the ServerSocketFactory:
private static SSLSocketFactory getSocketFactory()
{
try
{
SSLContext context = SSLContext.getInstance("TLS");
// Create a key manager factory for our personal PKCS12 key file
KeyManagerFactory keyMgrFactory = KeyManagerFactory.getInstance("SunX509");
KeyStore keyStore = KeyStore.getInstance("PKCS12");
char[] keyStorePassword = pk12Password.toCharArray(); // --> This is the Password for my P12 Client Certificate
keyStore.load(new FileInputStream(pk12filePath), keyStorePassword); // --> This is the path to my P12 Client Certificate
keyMgrFactory.init(keyStore, keyStorePassword);
// Create a trust manager factory for the trust store that contains certificate chains we need to trust
// our remote server (I have used the default jre/lib/security/cacerts path and password)
TrustManagerFactory trustStrFactory = TrustManagerFactory.getInstance("SunX509");
KeyStore trustStore = KeyStore.getInstance("JKS");
char[] trustStorePassword = jksTrustStorePassword.toCharArray(); // --> This is the Default password for the Java KEystore ("changeit")
trustStore.load(new FileInputStream(trustStorePath), trustStorePassword);
trustStrFactory.init(trustStore);
// Make our current SSL context use our customized factories
context.init(keyMgrFactory.getKeyManagers(),
trustStrFactory.getTrustManagers(), null);
return context.getSocketFactory();
}
catch (Exception e)
{
System.err.println("Failed to create a server socket factory...");
e.printStackTrace();
return null;
}
}
Then I created the connection using:
public static void launchApi()
{
try
{
// Uncomment this if your server cert is not signed by a trusted CA
HostnameVerifier hv = new HostnameVerifier()
{
public boolean verify(String urlHostname, SSLSession session)
{
return true;
}};
HttpsURLConnection.setDefaultHostnameVerifier(hv);
URL url = new URL("https://myRootUrl.com/to/launch/api");
HttpsURLConnection.setDefaultSSLSocketFactory(getSocketFactory());
HttpsURLConnection urlConn = (HttpsURLConnection)url.openConnection();
String encoded = Base64.getEncoder().encodeToString((userName+":"+userPwd).getBytes(StandardCharsets.UTF_8)); //Acc User Credentials if needed to log in
urlConn.setRequestProperty ("Authorization", "Basic "+encoded);
urlConn.setRequestMethod("GET"); // Specify all needed Request Properties:
urlConn.setRequestProperty("Accept", "application/json;charset=UTF8");
urlConn.setRequestProperty("Cache-Control", "no-cache");
urlConn.connect();
/* Dump what we have found */
BufferedReader in =
new BufferedReader(
new InputStreamReader(urlConn.getInputStream()));
String inputLine = null;
while ((inputLine = in.readLine()) != null)
System.out.println(inputLine);
in.close();
}
catch (Exception e)
{
e.printStackTrace();
}
}
This is what worked for me. Thank you all, and also thanks to:
this article that guided me on the right direction
Ciao

Instead of using loadKeyMaterial use loadTrustMaterial, the first one is for creating a SSLContext for a server, and the second one is for a client.
Example:
SSLContext sslContext = SSLContexts.custom()
.loadTrustMaterial(keyStore, new TrustSelfSignedStrategy())
.build();

How to make HTTPS GET call with certificate in Rest-Assured java

How can I make a GET call using Rest-Assured in java to a endpoint which requires certificate. I have certificate as .pem format. In PEM file there is certificate and private key.

In my case using "relaxed HTTPs validation" fixed my problem:
given().relaxedHTTPSValidation().when().post("https://my_server.com")

Got it working with following code -
KeyStore keyStore = null;
SSLConfig config = null;
try {
keyStore = KeyStore.getInstance("PKCS12");
keyStore.load(
new FileInputStream("certs/client_cert_and_private.p12"),
password.toCharArray());
} catch (Exception ex) {
System.out.println("Error while loading keystore >>>>>>>>>");
ex.printStackTrace();
}
if (keyStore != null) {
org.apache.http.conn.ssl.SSLSocketFactory clientAuthFactory = new org.apache.http.conn.ssl.SSLSocketFactory(keyStore, password);
// set the config in rest assured
config = new SSLConfig().with().sslSocketFactory(clientAuthFactory).and().allowAllHostnames();
RestAssured.config = RestAssured.config().sslConfig(config);
RestAssured.given().when().get("/path").then();

I am new to rest-assured but I know this kind of problems using digital certificates for client authentication
In rest-assured doc is only an option to configure certificate: JKS
RestAssured.config = RestAssured.newConfig().sslConfig(new SSLConfig("/truststore_javanet.jks", "test1234");
Convert your PEM to JKS. Open it with portecle and ensure that the password is right and you have the certificate loaded and all the certification chain to CA root. Portecle simplify the command-line using a GUI and also allows you to create the JKS
http://portecle.sourceforge.net/
This error occurs ALWAYS when your java client do not trust in server certificate
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
The easiest way to fix this is include the server certificate chain in your jdk keystore.
First, download the server certificates opening an https connection with your browser, for example with chrome. It does not matter it fails. Click on the green lock in the toolbar>Detail>See server certicate and download as PEM. It is best to download it yourself to make sure you are using the correct. Download all certificates of certification chain
Then, open jdk cacerts at JDK_HOME/jre/lib/security with portecle. Password will be 'changeit'. Add the server certificates as 'trusted'
Now, PKIX path building failed will dissapear. If not, check the certificates and the JDK you are using

Using RestAssured 3.0 I took #rohitkadam19's code and got it working so:
#Before
public void setUp() throws Exception {
try {
RestAssured.port = port;
RestAssured.useRelaxedHTTPSValidation();
RestAssured.config().getSSLConfig().with().keyStore("classpath:keystore.p12", "password");
} catch (Exception ex) {
System.out.println("Error while loading keystore >>>>>>>>>");
ex.printStackTrace();
}
}

The method using org.apache.http.conn.ssl.SSLSocketFactory is now deprecated. If you are using the latest version of RestAssured from io then the best method is to set your authentication using:
RestAssured.authentication =
RestAssured.certificate(
"/path/to/truststore",
"trust store password",
"/path/to/p12",
"p12 password",
CertificateAuthSettings.certAuthSettings());
Note, CertificateAuthSettings.certAuthSettings() uses default KeyStore settings, so be aware of this.

The code mentioned below just works,
public static void getArtifactsHttps(String args) {
String username = "username";
String password1 = "password";
StringBuilder authorization = new StringBuilder();
authorization.append(username).append(":").append(password);
String authHeader = "Basic " + Base64.getEncoder().encodeToString(authorization.toString().getBytes());
String response = RestAssured
.given()
.trustStore("D:\\workspace\\DemoTrust.jks", "DemoTrustKeyStorePassPhrase")
.when()
.contentType(MediaType.APPLICATION_JSON)
.accept(MediaType.APPLICATION_JSON)
.header("Authorization", authHeader)
.baseUri("https://server.us.oracle.com:55898")
.queryParam("name", args)
.get("/validendpoint").prettyPrint();
System.out.println("RESPONSE" + response);
}

You need to allow self-signed certificate for RestAssured client. To do so, you need to place your certificate (public key) to the truststore (not keystore).
RestAssured
.config()
.sslConfig(
sslConfig().with().trustStoreType("PKCS12").and()
.trustStore(ResourceUtils.getFile("classpath:keystore/keystore.p12"), "password"));

//headerMap is map of header
Get
Response response = given().headers(headerMap)
.config(RestAssuredConfig.config().decoderConfig(DecoderConfig.decoderConfig().defaultContentCharset("UTF-8")).and().sslConfig(new SSLConfig().relaxedHTTPSValidation())) .contentType(ContentType.JSON).when().get(url).then().extract().response();
Post
response = given().headers(headerMap) .config(RestAssuredConfig.config().decoderConfig(DecoderConfig.decoderConfig().defaultContentCharset("UTF-8")).and().sslConfig(new SSLConfig().relaxedHTTPSValidation()))
.contentType(ContentType.JSON).body(body).when().post(url).then().extract().response();

This worked for me, thank you everyone. I am using RestAssured v 3.0, this is for Post but we can just change that to .get() and removed .body(...)
ResponseSpecification responseSpec = null;
Response response123 = null;
RestAssured.config = RestAssured.config().sslConfig(
new SSLConfig().keystore("app trust.jks", password)
.keystore("key trust.jks", password));
responseSpec = given()
.urlEncodingEnabled(Encode url = true or false)
.body(BodyToPOST)
.config(RestAssured.config())
.contentType("application/json")
.headers(appropriate headers)
.expect()
.statusCode(200);
response123 = responseSpec.when()
.post(url)
.then()
.extract()
.response();

I had no luck with pretty much any of these answers on 4.3.3 version of RestAssured.
I finally discovered this: RestAssured.trustStore(truststoreFilePath, password)
Usage:
String truststore = Props.getStringProperty("truststore", ""); // truststore in jks format
if (StringUtils.isNotBlank(truststore)) {
File truststoreFile = new File(truststore);
if (!truststoreFile .exists()) {
throw new RuntimeException("Could not initialize the truststore
because file specified does not exist: " + truststore);
}
String password = Props.getStringProperty("truststorePassword", "changeit");
RestAssured.trustStore(truststoreFile.getAbsolutePath(), password);
}
Now
RestAssured.given()
.auth().basic(Props.getStringProperty("user"), Props.getStringProperty("authToken"))
.with().config(RestAssured.config().connectionConfig(new ConnectionConfig())).when().get("/my-service")
Has no more SSL handshake issues.

To understand the scenario, you must be looking into this answer if the server, which you are making a request to, is configured with a self-signed SSL certificate. Trust SSL certificates are automatically validated by the browser with the help of CA(Certificate Authorities), but if it is a self-signed SSL we must configure truststore to the rest client(rest assured in this case).
What is the truststore?
Truststore is kind of vault in which you place certificates which you believe are valid, to explain further, the process involved in https validation is similar to the following steps,
You make request to the server
Server sends a certificate
Now it is clients responsibility to validate the certificate, if it was trust SSL, then browser/ http client approaches CA to validate certificate's authenticity, but since it is self signed SSL, we have to configure the http client that whom it should approach for validating certificate and that configuration is truststore's configuration
Now to complete the configuration and make the http call, follow these steps
Create a truststore file with extension "jks" in your project, have to configure the password while creating the jks file.
Download the certificate from the browser or use the created certificate(both are same), certificate extension is usually "pem" or "crt"
Now we need to import the certificate into the truststore(*.jks file), run the below command in the terminal
keytool -importcert -alias "[[alias for certificate]]" -file
[[Certificate name]].pem -keystore [[truststore name]].jks -storepass
[[truststore password]]
Now we need to configure Rest assured that it should use this truststore for https validation
given().config(newConfig().sslConfig(new SSLConfig("/truststore.jks", "truststorepassword")))
We could use the above instance to perform http get request,
given().config(newConfig().sslConfig(new SSLConfig("/truststore.jks", "truststorepassword"))).get("URL")

How to add a client side pkcs12 certificate to Postman Chrome, W7 ?

I try to test a 'strange' GET request where I have to provide a BASIC authentication and a client side certificate.
I try to check it with Postman Chrome but I did not understand how to link the certificate from chrome personal certificate to my request.
I saw this discussion : https://github.com/a85/POSTMan-Chrome-Extension/issues/482 but it is about MAC keystore and I can't transpose is to W7/Chrome.
Here is my java code set up that should do the same job as postman to help you understand what I want postman to do. We use that post to write it
InputStream is = context.getResources().getAssets().open("CertificateFile.p12");
KeyStore keyStore = KeyStore.getInstance("PKCS12");
BufferedInputStream bis = new BufferedInputStream(is);
String password ="xxxxx";
keyStore.load(bis, password.toCharArray()); // password is the PKCS#12 password. If there is no password, just pass null
// Init SSL Context
KeyManagerFactory kmf = KeyManagerFactory.getInstance("X509");
kmf.init(keyStore, password.toCharArray());
KeyManager[] keyManagers = kmf.getKeyManagers();
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(keyManagers, null, null);
HttpsURLConnection urlConnection = null;
String strURL = "theUrlITryToHit";
url = new URL(strURL);
urlConnection = (HttpsURLConnection) url.openConnection();
if(urlConnection instanceof HttpsURLConnection) {
((HttpsURLConnection)urlConnection)
.setSSLSocketFactory(sslContext.getSocketFactory());
}
urlConnection.setRequestMethod("GET");
String basicAuth = "Basic " + Base64.encodeToString("pseudo:password".getBytes(), Base64.NO_WRAP);
urlConnection.setRequestProperty ("Authorization", basicAuth);

I'm using a Mac, but its probably similar for you.
If you can use CURL on your PC, see if you can get it to work with CURL first:
curl --insecure --cert-type P12 --cert /path-to/your-file.p12:the-password https://your-host.com/endpoint
Postman Settings:
Postman->preferences->General
SSL certificate verification OFF
Postman Certs:
Postman->preferences->Certificates
Client Certificates:
Host yourhost.com
CRT file
Key file
PFX file /path-to-file/CertificateFile.p12
Passphrase your-file-password

I was having a similar issue and just got it working. My private key and cert were stored in a .pem file, so I first needed to put them in to a format that Windows would use. I did that with the following command:
openssl pkcs12 -inkey mycertandkey.pem -in mycert.crt -export -out mycertandkey.pfx
I did this in linux but it should work in Windows as well, if you have openssl installed.
Run certmgr.msc in Windows. Right-click the 'Personal' folder and select 'All tasks' -> 'Import...' and choose the .pfx file. Enter the passphrase and import it in to the 'Personal' folder.
Once that's done, you'll need to close your running Chrome windows. Then open Postman in a new window. When you attempt to connect to the URL, this time it should ask to confirm the use of the client cert. Once confirmed, you should be able to make calls to the URL from then on.