JSSE -- SSL with client authentication and keystore with multiplecerts

Discussion in 'Java' started by John Salvo, Sep 1, 2003.

  1. John Salvo

    John Salvo Guest

    If you have one keyStore that has mulitple client certificates in it (
    say one for each HTTPS webserver that requires client authentication ),
    how does JSSE know which one of these certificates in the keystore to
    send to the server ?
    John Salvo, Sep 1, 2003
    1. Advertisements

  2. John Salvo

    John Salvo Guest

    Just as a followup ... I have found a solution:

    1) The KeyStore class has a boolean variable initailized that first
    needs to be true before you can call setKeyEntry(), and the only way to
    set this to true is to call load().

    2) Java's PKCS12 keystore implementation does not implement the store()
    method. I therefore could not combine "save" a new PKCS12 file.

    3) The alternative that worked is to create a new JKS keystore using
    keytool, load that in your Java program, then call setKeyEntry() for
    each alias / Key / Certificate Chain that you have loaded on your
    existing PKCS12 keystores ... then call store().

    After that, you setup your KeyManagerFactory with the new JKS keystore,
    setup an SSLContext with the KeyManagers from the KeyManagerFactory.
    Then lastly, call
    sslcontext.getSSLSocketFactory() );

    When that is done, I was able to authenticate myself to webservers that
    required SSL client authentication.


    John Salvo
    John Salvo, Sep 5, 2003
    1. Advertisements

  3. John Salvo

    John Salvo Guest

    Alternatively, the easier way to combine your client certs are:

    1) Create a new JKS keystore with keytool

    2) For each of your PKCS12 file, export the key to another file

    3) For each of the exported keys from the PKCS12 files, import them into
    the JKS keystore.

    4) Use the JKS keystore in your code
    John Salvo, Sep 8, 2003
  4. John Salvo

    John Salvo Guest

    Turns out using keytool will not work ... when you export from the
    PKCS12 and import into JKS, only the key, but not the certificate itself
    is added ( or exported from PKCS12 ).

    You have to do it via by writing Java code.
    John Salvo, Sep 9, 2003
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.