Reputation: 29518
implementing SSL clientAuth in Java
I'm new to SSL and trying to figure out how to get it working with Java Netty server. I want to do essentially this: Correctly creating a new certificate with an intermediate certificate using bouny castle I want to create certificates for different clients and have them talk to my server. I generate unique certificates per client, but I have two basic questions regarding SSL implementation in Java.
When I create my intermediate certificate to sign the client certs, is this basically a one time thing similar to creating the root cert? Meaning, in the example, the author generates an
KeyPair intermediatePair. Do I regenerate this KeyPair when I sign for different client certs? My guess is no and that I should save this intermediate cert somewhere and then load it when my server starts.How do clients actually get trusted by the server? Is it the fact that the certificate they have is signed by the server rootcert->intermediatecert and creates the chain of trust? Or after I create my certificate, so I need to add that cert to the
KeyStore trustStoreI'm using when my server starts? Something like this (pseudocode)KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType()); trustStore.load(null, null); CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); Path p = Paths.get(path); byte[] bytes = Files.readAllBytes(p); InputStream in = new ByteArrayInputStream(bytes); X509Certificate certificate = null; if (in != null) { certificate = (X509Certificate) certificateFactory.generateCertificate(in); in.close(); } trustStore.setCertificateEntry("certficateName", certificate);
Upvotes: 1
Views: 433
Answers (1)
Reputation: 311023
When I create my intermediate certificate to sign the client certs, is this basically a one time thing similar to creating the root cert?
One time until it expires.
Meaning, in the example, the author generates an
KeyPair intermediatePair. Do I regenerate this KeyPair when I sign for different client certs?
No.
My guess is no and that I should save this intermediate cert somewhere and then load it when my server starts.
Yes.
- How do clients actually get trusted by the server? Is it the fact that the certificate they have is signed by the server rootcert->intermediatecert and creates the chain of trust?
It is the fact that a chain of certificates exists from the client cert to the trusted root cert.
Or after I create my certificate, so I need to add that cert to the
KeyStore trustStoreI'm using when my server starts? Something like this (pseudocode)
No. Just make sure the root cert is in the truststore, via the keytool. You don't need to write code at all.
Upvotes: 1
Related Questions
- Java HTTPS client certificate authentication
- Client authentication in server Tomcat
- Establishing connection to HTTPS using client certificates
- Java: how to add SSL client-side authentication
- Java 6 HTTPS client certificate authentication
- Connect to ssl server using java client
- SSL keys and client auth in Java
- SSL authentication in Java as Server/client model
- Java: SSL Clientside Authentication with self-signed certificates
- Java Client to connect to Server with Openssl and Client Auth