Re: SSL - Providing client certificates

Kris Jurka <books 'at' ejurka.com> writes:

> On Fri, 20 Feb 2009, Saleem EDAH-TALLY wrote:
>
>> However, if we set javax.net.ssl.keyStore and javax.net.ssl.keyStorePassword,
>> the SSL connection is established and the client certificate is verified.
>>
>
> When the code was first written, this wasn't tested and it was just
> assumed that it wouldn't work. Recently we got a report that it did
> work, but the documentation was not updated.
>
> What I don't understand is how it selects the certificate to send. If
> you have multiple keys in your keystore, how do you indicate which one
> to use?

My quite limited understanding of the behaviour of SSL client
authentication may potentially help a little:

You initially send a certificate signing request to the
admin/owner of the server (signed with your private key); when
you receive the certificate reply (signed with their private
key), you can build a chain of trust between you and the server,
your keystore will look like:

Entry type: PrivateKeyEntry
Certificate chain length: 2

Certificate[1]:
Owner: <you>
Issuer: <server>

Certificate[2]:
Owner: <server>
Issuer: <server>

Then at the SSL handshake time, first the server presents his
certificate, second it asks for a client certificate, at that
time you are able to present the certificate belonging to the
chain of trust containing the server certificate on top.

--
Guillaume Cottenceau