dcsimg
How to use client certificate authorization properly?
1 posts in topic
Flat View  Flat View
TOPIC ACTIONS:
 

Posted By:   Jan_Kopinec
Posted On:   Tuesday, June 20, 2006 01:25 PM

Well, I have a private key generated by openssl and the certificate signed by our own CA. If I import them into IE or Mozilla Web browsers I can connect our https server requiring the client certificate authorization so the certificate validity or the https server configuration do not seem to be any issues. I have a simple Java client code like: java.security.Security.addProvider(new.com.sun.net.ssl.internal.ssl.Provider()); con = new HTTPConnection("https", SUREPAY_CARD_ADDRESS, Integer.parseInt(SUREPAY_PORT)); HTTPResponse rsp = con.Post(SUREPAY_CARD_URL, ccData); which is working well via https *without* the setup for the client certificate autentication, I have just tried to import the client certificate into    More>>

Well, I have a private key generated by openssl and the certificate signed by our own CA. If I import them into IE or Mozilla Web browsers I can connect our https server requiring the client certificate authorization so the certificate validity or the https server configuration do not seem to be any issues. I have a simple Java client code like:

java.security.Security.addProvider(new.com.sun.net.ssl.internal.ssl.Provider());
con = new HTTPConnection("https", SUREPAY_CARD_ADDRESS, Integer.parseInt(SUREPAY_PORT));
HTTPResponse rsp = con.Post(SUREPAY_CARD_URL, ccData);

which is working well via https *without* the setup for the client certificate autentication, I have just tried to import the client certificate into cacerts default client keystorage, but it alone probably does not "manage" this Java client to respond correctly to the server for the SSL CertificateRequest.

What should be done to work out the client certificate authorization? Just to change the configuration and put the private key somewhere or rewrite the code to manage the client certificate? Would you have any link or example?

   <<Less

Re: How to use client certificate authorization properly?

Posted By:   shiladitya_sircar  
Posted On:   Thursday, July 6, 2006 11:36 PM

To answer you question I have to explain the notion of SSL certificate and key management in the context of your JRE. OK so a keystore file and truststore file are the two placeholders for these elements. The keystore holds key entries, each of which is an entity's identity and its private key, used to identify oneself to a server as a trusted client. The truststore holds trusted certificate entries, each of which is an entity's identity (usually a certificate Authority, or CA) and its public key, which are used to identify trusted servers.

Mutual authentication is establishing reciprocal trust betewen your server and client. What you have done by importing the server certificate to the browser is that you have enabled the browser (client) to trust your server. You must do something similar for your server to trust your browser (client). To do this, your client must generate (or you generate on behalf of the client) a version of the certificate containing its identity and public key which the server must store in its truststore. You can do this by keytool.exe from (jre/bin) to import client certificate to the truststore.
About | Sitemap | Contact