Reputation: 1741
Client X.509 certificate
I need to encypt a document using client's public key. I can get the client certificate from their website. My question is how my application should access this certificate?
- Should I get it from their website each time it is required?
- Or, should I download it and store it:
- in my KeyStore
- Or, just as a file locally
I also need to validate this certificate and use CRL. My application uses latest Spring versions.
Thanks
Upvotes: 0
Views: 136
Answers (1)
Reputation: 4228
You should download the certificate each time (if it is available). But you also need to validate the certificate each time and do a full chain validation Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile (on Page 71, Chapter 6: Certification Path Validation) including CRL and/or OCSP.
If you do not download the certificate, how would you know that it has changed? Certificates do not only change if they are expired.
Use a hybrid encryption scheme for the document encryption.
Update:
Can you please tell what do you mean by "Certificates do not only change if they are expired."? What else can change and how does it matter?
I mean that you need to check the certificate every time you access that service. A quick and dirty solution would be to download the certificate once, look for the expiration date and only re-check the certificate if the expiration date has passed. But that would be devastating to the public key infrastructure system. The idea is to check the certificate every time you access some service. Certificates may change before their expiration date and that may have it's reason.
See in the provided link RFC 5280 on page 69 for some reasons:
CRLReason ::= ENUMERATED {
unspecified (0),
keyCompromise (1),
cACompromise (2),
affiliationChanged (3),
superseded (4),
cessationOfOperation (5),
certificateHold (6),
-- value 7 is not used
removeFromCRL (8),
privilegeWithdrawn (9),
aACompromise (10) }
Upvotes: 1
Related Questions
- Spring Boot - Reading x509 client certificate from HTTP request
- Spring Security With X.509 Certificate
- Apache HttpClient 4.3 and x509 client certificate to authenticate
- How to get the certificate into the X509 filter (Spring Security)?
- Select client certificate dialog for x509 authentication
- How do I sign a HTTP request with a X.509 certificate in Java?
- Putting X509 Certificate in HTTP Request
- X.509 : Server not able to extract user information from client certificate
- validate x509 client certificate
- Spring-Security with X509?