SSL: Client Authentication, multiple certificate version in same store

Question

Here is the situation:

1. Our Application talks to multiple 3rd party applications and few of them need client authentication.

2. One particular third party app needs client auth and has appropriately provided certificates (which we imported in our key store (JKS)). This is during integration testing. Things are working fine in the Test environment.

3. Now before going live, they want to upgrade the certificate issued by an CA.

4. For the new certificate, we can always create a new store, but for the sake of convenience wanted to know if the two certificates(old and new) can reside in the same store? (So that in case they rollback, there is no change on our side)

5. URL being same, how does the application(http-client library) knows which client certificate(s) version to present when making calls to server?

Answer 1

You can have both certificates in the truststore. JSSE will select whichever one matches the trusted CAs the server advises when it requests the client certificate.

However the scenario you describe is radically insecure. If you are the client, you should be providing your own client certificate, not one that comes from someone else. Otherwise there must be a compromise of the private key, which means the certificate can't be used for the purpose it is intended for, and you can legally repudiate all transactions that are supposedly authenticated via this means. Client authentication under such a scheme serves no useful purpose whatsoever and you should not waste further time on it.