"org.apache.commons.ssl.Ping" contains a main method to help you diagnose SSL issues. It's modeled on OpenSSL's very handy "s_client" utility. We've been very careful to make sure "org.apache.commons.ssl.Ping" can execute without any additional jar files on the classpath (except if using Java 1.3 - then you'll need jsse.jar).
"Ping" Utility Attempts "HEAD / HTTP/1.1" Request
This utility is very handy because it can get you the server's public
certificate even if your client certificate is bad (so even though the SSL
handshake fails).  And unlike "openssl s_client", this utility can bind
against any IP address available.
Usage:  java -jar not-yet-commons-ssl-0.3.13.jar [options]
Version: 0.3.13   Compiled: [PDT:2014-05-08/14:15:16.000]
Options:   (*=required)
*  -t  --target           [hostname[:port]]              default port=443
   -b  --bind             [hostname[:port]]              default port=0 "ANY"
   -r  --proxy            [hostname[:port]]              default port=80
   -tm --trust-cert       [path to trust material]       {pem, der, crt, jks}
   -km --client-cert      [path to client's private key] {jks, pkcs12, pkcs8}
   -cc --cert-chain       [path to client's cert chain for pkcs8/OpenSSL key]
   -p  --password         [client cert password]
   -h  --host-header      [http-host-header]      in case -t is an IP address
   -u  --path             [path for GET/HEAD request]    default=/
   -m  --method           [http method to use]           default=HEAD
Example:
java -jar commons-ssl.jar -t host.com:443 -c ./client.pfx -p `cat ./pass.txt` TODO:
Apparently Java 6.0 includes support for grabbing passwords from
standard-in without echoing the typed characters.  Would be nice to use that feature when it's
available, instead of requiring the password to be specified as a command-line argument.
java -cp not-yet-commons-ssl-0.3.13.jar org.apache.commons.ssl.KeyStoreBuilder
KeyStoreBuilder converts PKCS12 and PKCS8 to Java "Keystore", and vice versa.
KeyStoreBuilder:  creates '[alias].jks' (Java Key Store)
    -topk8 mode:  creates '[alias].pem' (x509 chain + unencrypted pkcs8)
[alias] will be set to the first CN value of the X509 certificate.
-------------------------------------------------------------------
Usage1: [password] [file:pkcs12]
Usage2: [password] [file:private-key] [file:certificate-chain]
Usage3: -topk8 [password] [file:jks]
-------------------------------------------------------------------
[private-key] can be openssl format, or pkcs8.
[password] decrypts [private-key], and also encrypts outputted JKS file.
All files can be PEM or DER.