While not recommended, you can also disable SSL cert validation alltogether: public static void disableCertificateValidation()

{ // Create a trust manager that does not validate certificate chains TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() { public X509Certificate[] getAcceptedIssuers() { return new X509Certificate[0]; } public void checkClientTrusted(X509Certificate[] certs, String authType) { } public void checkServerTrusted(X509Certificate[] certs, String authType) { } }}; // Ignore differences between given hostname and certificate hostname HostnameVerifier hv = new HostnameVerifier() { public boolean verify(String hostname, SSLSession session) { return true; } }; // Install the all-trusting trust manager try { SSLContext sc = SSLContext.getInstance("SSL"); sc.init(null, trustAllCerts, new SecureRandom()); HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); HttpsURLConnection.setDefaultHostnameVerifier(hv); } catch (Exception e) {} }

Finally solved it ;). Got a strong hint here (Gandalfs answer touched a bit on i t as well). The missing links was (mostly) the first of the parameters below, an d to some extent that I overlooked the difference between keystores and truststo res. The self-signed server certificate must be imported into a truststore: keytool -import -alias gridserver -file gridserver.crt -storepass $PASS -keystor e gridserver.keystore

These properties need to be set (either on the commandline, or in code): -Djavax.net.ssl.keyStoreType=pkcs12 -Djavax.net.ssl.trustStoreType=jks -Djavax.net.ssl.keyStore=clientcertificate.p12 -Djavax.net.ssl.trustStore=gridserver.keystore -Djavax.net.debug=ssl # very verbose debug -Djavax.net.ssl.keyStorePassword=$PASS -Djavax.net.ssl.trustStorePassword=$PASS Working example code: SocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault( ); URL url = new URL("https://gridserver:3049/cgi-bin/ls.py"); HttpsURLConnection conn = (HttpsURLConnection)url.openConnection(); conn.setSSLSocketFactory(sslsocketfactory);

InputStream inputstream = conn.getInputStream(); InputStreamReader inputstreamreader = new InputStreamReader(inputstream); BufferedReader bufferedreader = new BufferedReader(inputstreamreader); String string = null; while ((string = bufferedreader.readLine()) != null) { System.out.println("Received " + string); }

The GlobalSign Root Certificate is marked for a number of intended purposes. Thi s makes it a very strong and flexible Root Certificate able to perform all Publi c Key Infrastructure (PKI) related activities: Ensures the identity of a remote computer Proves your identity to a remote computer Ensures software came from software publisher Protects software from alteration after publication Protects e-mail messages Allows data to be signed with the current time Allows data on disk to be encrypted Allows secure communication on the Internet Permits all key usage policies OCSP Signing

install to your local keystore the SSL certificates that your application needs to connect to a remote server over SSL

SSL Certificates are small data files that digitally bind a cryptographic key to an organization s details. When installed on a web server, it activates the padlo ck and the https protocol (over port 443) and allows secure connections from a w eb server to a browser. Typically, SSL is used to secure credit card transaction s, data transfer and logins, and more recently is becoming the norm when securin g browsing of social media sites. SSL Certificates bind together: A domain name, server name or hostname. An organizational identity (i.e. company name) and location. An organization needs to install the SSL Certificate onto its web server to init iate secure sessions with browsers. Depending on the type of SSL Certificate app lied for, the organization will need to go through differing levels of vetting. Once installed, it is possible to connect to the website over https://www.domain .com, as this tells the server to establish a secure connection with the browser . Once a secure connection is established, all web traffic between the web serve r and the web browser will be secure.

Les certificats SSL sont de petits fichiers de donnes qui lient numriquement une c l cryptographique aux dtails de l'organisation. Lorsqu'il est install sur un serveu r web, il active le cadenas et le protocole https (sur le port 443) et permet de s connexions scurises partir d'un serveur Web un navigateur. En rgle gnrale, le prot cole SSL est utilis pour scuriser les transactions par carte de crdit, transfert de donnes et les connexions, et plus rcemment devient la norme lors de la fixation n avigation sur des sites de mdias sociaux. Certificats SSL lier ensemble: Un nom de domaine, le nom du serveur ou nom d'hte. Une identit organisationnelle (nom de l'entreprise par exemple) et l'emplacement. Une organisation a besoin d'installer le certificat SSL sur son serveur web pour initier des sessions scurises avec les navigateurs. Selon le type de certificat S SL demande, l'organisation devra passer par diffrents niveaux de vetting. Une fois install, il est possible de se connecter au site Web au cours https://www.domain .com, car cela indique au serveur pour tablir une connexion scurise avec le navigat eur. Une fois la connexion scurise est tablie, tout le trafic Web entre le serveur Web et le navigateur sera scuris. A keystore contains private keys, and the certificates with their corresponding public keys. A truststore contains certificates from other parties that you expect to communi cate with, or from Certificate Authorities that you trust to identify other part ies.