Getting Grinder To Work with a Self-Signed Certificate

Recently, I’ve been working a bunch with Grinder to do some load testing.  I’ve had great success with it in the past, and wanted to punish an app.  My test needs to make HTTP and HTTPS requests which I never anticipated would be a problem.  Unfortunately, my server has a self-signed certificate which the Java processes refused to recognize.  I tried adding the certificates through the Java Console but that led to these weird no peer exceptions (shudder).

I figured that I would have to use keytool to load the certificates.  What I did not realize is that you cannot load a self-signed key where you already have a certificate using keytool directly!  So I had to follow the following steps

  1. Convert my certs from PEM format into DER format
> openssl pkcs8 -topk8 -nocrypt -in server.key \
-inform PEM -out key.der -outform DER
> openssl x509 -in server.csr -inform PEM \
-out cert.der -outform DER
  1. Use the Java code from this AgentBob post to create a keystore

> java -Dkeystore=mycerts ImportKey key.der cert.der

  1. Now when running the TCPProxy, I had to add the following:

java -Djavax.net.debug=all -classpath $GRINDER_JAR \

net.grinder.TCPProxy -console -http \

-keystore mycerts -keyStorePassword importkey

  1. To use the certs from my Agent process


from java.lang import System
grinder.SSLControl.setKeyStoreFile(System.getProperty("keystore"),System.getProperty("keypass"))
  1. Finally, I needed to add this to the properties file for my Grinder agent process

grinder.jvm.arguments=-Dkeystore=mycerts -Dkeypass=importkey

And tada it works! One other tidbit: using -Djavax.net.debug=ssl was invaluable in debugging. You can use -Djavax.net.debug=help to find out all of the debug options.

One thought on “Getting Grinder To Work with a Self-Signed Certificate


  1. Hey Rob, have you tried an SSL proxy? Basically, speak http to a proxy and have it handle the SSL negotiation for you.

Comments are closed.