JSSE -- SSL with client authentication and keystore with multiplecerts

[John Salvo]

If you have one keyStore that has mulitple client certificates in it (
say one for each HTTPS webserver that requires client authentication ),
how does JSSE know which one of these certificates in the keystore to
send to the server ?

 

[John Salvo]

If you have one keyStore that has mulitple client certificates in it (
say one for each HTTPS webserver that requires client authentication ),
how does JSSE know which one of these certificates in the keystore to
send to the server ?

Just as a followup ... I have found a solution:

1) The KeyStore class has a boolean variable initailized that first
needs to be true before you can call setKeyEntry(), and the only way to
set this to true is to call load().

2) Java's PKCS12 keystore implementation does not implement the store()
method. I therefore could not combine "save" a new PKCS12 file.

3) The alternative that worked is to create a new JKS keystore using
keytool, load that in your Java program, then call setKeyEntry() for
each alias / Key / Certificate Chain that you have loaded on your
existing PKCS12 keystores ... then call store().

After that, you setup your KeyManagerFactory with the new JKS keystore,
setup an SSLContext with the KeyManagers from the KeyManagerFactory.
Then lastly, call
HttpsURLConnection.setDefaultSSLSocketFactory(
sslcontext.getSSLSocketFactory() );

When that is done, I was able to authenticate myself to webservers that
required SSL client authentication.

Regards,

John Salvo

 

[John Salvo]

Just as a followup ... I have found a solution:

1) The KeyStore class has a boolean variable initailized that first
needs to be true before you can call setKeyEntry(), and the only way to
set this to true is to call load().

2) Java's PKCS12 keystore implementation does not implement the store()
method. I therefore could not combine "save" a new PKCS12 file.

3) The alternative that worked is to create a new JKS keystore using
keytool, load that in your Java program, then call setKeyEntry() for
each alias / Key / Certificate Chain that you have loaded on your
existing PKCS12 keystores ... then call store().

After that, you setup your KeyManagerFactory with the new JKS keystore,
setup an SSLContext with the KeyManagers from the KeyManagerFactory.
Then lastly, call
HttpsURLConnection.setDefaultSSLSocketFactory(
sslcontext.getSSLSocketFactory() );

When that is done, I was able to authenticate myself to webservers that
required SSL client authentication.

Regards,

John Salvo

Alternatively, the easier way to combine your client certs are:

1) Create a new JKS keystore with keytool

2) For each of your PKCS12 file, export the key to another file

3) For each of the exported keys from the PKCS12 files, import them into
the JKS keystore.

4) Use the JKS keystore in your code

 

[John Salvo]

Alternatively, the easier way to combine your client certs are:

1) Create a new JKS keystore with keytool

2) For each of your PKCS12 file, export the key to another file

3) For each of the exported keys from the PKCS12 files, import them into
the JKS keystore.

4) Use the JKS keystore in your code

Turns out using keytool will not work ... when you export from the
PKCS12 and import into JKS, only the key, but not the certificate itself
is added ( or exported from PKCS12 ).

You have to do it via by writing Java code.