JSSE -- SSL with client authentication and keystore with multiplecerts

Discussion in 'Java' started by John Salvo, Sep 1, 2003.

  1. John Salvo

    John Salvo Guest

    If you have one keyStore that has mulitple client certificates in it (
    say one for each HTTPS webserver that requires client authentication ),
    how does JSSE know which one of these certificates in the keystore to
    send to the server ?
    John Salvo, Sep 1, 2003
    #1
    1. Advertising

  2. John Salvo

    John Salvo Guest

    John Salvo wrote:
    >
    > If you have one keyStore that has mulitple client certificates in it (
    > say one for each HTTPS webserver that requires client authentication ),
    > how does JSSE know which one of these certificates in the keystore to
    > send to the server ?
    >
    >


    Just as a followup ... I have found a solution:

    1) The KeyStore class has a boolean variable initailized that first
    needs to be true before you can call setKeyEntry(), and the only way to
    set this to true is to call load().

    2) Java's PKCS12 keystore implementation does not implement the store()
    method. I therefore could not combine "save" a new PKCS12 file.

    3) The alternative that worked is to create a new JKS keystore using
    keytool, load that in your Java program, then call setKeyEntry() for
    each alias / Key / Certificate Chain that you have loaded on your
    existing PKCS12 keystores ... then call store().

    After that, you setup your KeyManagerFactory with the new JKS keystore,
    setup an SSLContext with the KeyManagers from the KeyManagerFactory.
    Then lastly, call
    HttpsURLConnection.setDefaultSSLSocketFactory(
    sslcontext.getSSLSocketFactory() );

    When that is done, I was able to authenticate myself to webservers that
    required SSL client authentication.

    Regards,

    John Salvo
    John Salvo, Sep 5, 2003
    #2
    1. Advertising

  3. John Salvo

    John Salvo Guest

    John Salvo wrote:
    > John Salvo wrote:
    >
    >>
    >> If you have one keyStore that has mulitple client certificates in it (
    >> say one for each HTTPS webserver that requires client authentication
    >> ), how does JSSE know which one of these certificates in the keystore
    >> to send to the server ?
    >>
    >>

    >
    > Just as a followup ... I have found a solution:
    >
    > 1) The KeyStore class has a boolean variable initailized that first
    > needs to be true before you can call setKeyEntry(), and the only way to
    > set this to true is to call load().
    >
    > 2) Java's PKCS12 keystore implementation does not implement the store()
    > method. I therefore could not combine "save" a new PKCS12 file.
    >
    > 3) The alternative that worked is to create a new JKS keystore using
    > keytool, load that in your Java program, then call setKeyEntry() for
    > each alias / Key / Certificate Chain that you have loaded on your
    > existing PKCS12 keystores ... then call store().
    >
    > After that, you setup your KeyManagerFactory with the new JKS keystore,
    > setup an SSLContext with the KeyManagers from the KeyManagerFactory.
    > Then lastly, call
    > HttpsURLConnection.setDefaultSSLSocketFactory(
    > sslcontext.getSSLSocketFactory() );
    >
    > When that is done, I was able to authenticate myself to webservers that
    > required SSL client authentication.
    >
    > Regards,
    >
    > John Salvo
    >




    Alternatively, the easier way to combine your client certs are:

    1) Create a new JKS keystore with keytool

    2) For each of your PKCS12 file, export the key to another file

    3) For each of the exported keys from the PKCS12 files, import them into
    the JKS keystore.

    4) Use the JKS keystore in your code
    John Salvo, Sep 8, 2003
    #3
  4. John Salvo

    John Salvo Guest

    John Salvo wrote:
    >
    > Alternatively, the easier way to combine your client certs are:
    >
    > 1) Create a new JKS keystore with keytool
    >
    > 2) For each of your PKCS12 file, export the key to another file
    >
    > 3) For each of the exported keys from the PKCS12 files, import them into
    > the JKS keystore.
    >
    > 4) Use the JKS keystore in your code
    >


    Turns out using keytool will not work ... when you export from the
    PKCS12 and import into JKS, only the key, but not the certificate itself
    is added ( or exported from PKCS12 ).

    You have to do it via by writing Java code.
    John Salvo, Sep 9, 2003
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Brian J. Sayatovic

    Help me understand SSL/JSSE!

    Brian J. Sayatovic, Oct 3, 2003, in forum: Java
    Replies:
    0
    Views:
    436
    Brian J. Sayatovic
    Oct 3, 2003
  2. Deepak Nayal

    Two Way SSL with Sun JSSE [urgent]

    Deepak Nayal, Oct 20, 2003, in forum: Java
    Replies:
    7
    Views:
    1,296
    Deepak Nayal
    Oct 22, 2003
  3. Neill
    Replies:
    0
    Views:
    2,303
    Neill
    Jun 7, 2005
  4. oziris
    Replies:
    3
    Views:
    20,583
    Roedy Green
    Sep 30, 2005
  5. javerra
    Replies:
    7
    Views:
    865
    javerra
    Oct 6, 2006
Loading...

Share This Page