Java applets and client-side ssl certificates?


Charles Goehring

Applet Gurus,

Is anybody out there doing Java applets and client-side ssl certificates?

When I turn the requirement on in Apache, I get handshake failure errors
when the applet tries to load. Certificates are installed in the web
browser for the user's html browsing.

Some of our customers are on locked down machines that don't allow
"installation of software" but they jave jre 1.4.2 and Java Web Start.

Considering using Java Network Launch Protocol (JNLP) or some other kind
of applet based install but I think this would require a signed applet.
This, in turn, would require a certificate to be installed beforehand
(to validate the signed jar). Since our certs are all done in-house,
I'm in a chicken/egg situation. All certificates are issued by an
internal CA but are not easy to get for various reasons.

Is there an easy way to mass-install certificates (to keystores) in a
secure way without touching all the workstations?

The applet/client-side certificates present four problems as I see it:
1 handling the user's certificate securely
2 Maintainig the internal CA and root certs
3 Excessive prompting for multiple passwords to keystores
4 Keystore security (Bouncy Castle libs are 1MB)

Does anyone have any advice to give?