Reputation: 11
Verifying User Certificate with Root Certificate Java
I'm trying to verify the certificates provided by the users to my tomcat website (during mutual/client/certificate authentication).
Now I know that verifying the certificates manually may not be required as I suppose the browser does it before prompting for a certificate to the user. However, I still tried to do it and I have a few questions about it.
Please go through my process of creating the certificates as well as verifying them.
I am generating the Certificates as below:
# Generate Root Key
openssl genrsa -des3 -out root.key 2048
# Create a self signed Root Certificate
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out root.crt
# Generate User Key
openssl genrsa -out user.key 2048
# Generate User CSR
openssl req -new -key user.key -out user.csr
# Generate User Certificate and sign with Root Key
openssl x509 -req -in user.csr -CA root.crt -CAkey root.key -CAcreateserial -out user.crt -days 500 -sha256
Now I import the user.crt, user.key and the root.crt in a user.p12 keystore like so:
openssl pkcs12 -export -out user.p12 -inkey user.key -in user.cert -certfile root.crt
user.p12 gets distributed to the users who will be using the site.
I imported the root.crt to my "truststore" which is used by tomcat.
Now, when I try to verify the certificate provided by the users, I try to do the following:
File file = new File(keystorePath);
InputStream is = new FileInputStream(file);
keyStore.load(is, keyStorePass.toCharArray());
PKIXParameters params = new PKIXParameters(keyStore);
Set<TrustAnchor> trustAnchors = params.getTrustAnchors();
List<Certificate> certificates = trustAnchors.stream()
.map(TrustAnchor::getTrustedCert)
.collect(Collectors.toList());
Boolean certVerified = Boolean.FALSE;
for (Certificate cert : certificates){
try {
userCertificate.verify(cert.getPublicKey());
} catch (Exception e) {
e.printStackTrace();
continue;
}
LOGGER.info("Verified User Certificate.");
certVerified = Boolean.TRUE;
break;
}
This seems to work fine. However, my question is that since user.crt is created with root.crt, shouldn't the following code:
userCertificate.verify(cert.getPublicKey());
work like this?
cert.verify(userCertificate.getPublicKey());
My questions are as follows:
- Am I correct in assuming that I do not need verify user certificates in my code?
- If the
user.crtis created withroot.crt, why isuser.crtused to verifyroot.crtand not the other way round? - Am I completely dense and missing something important and all my logic is incorrect?
Upvotes: 0
Views: 591
Answers (0)
Related Questions
- Load CA root certificate at runtime in Java
- SSL Certificate Verification in Java
- Problem verifying a self created openssl root, intermediate and end user certificate
- How to create own self-signed root certificate and intermediate CA to be imported in Java keystore?
- java - can a certificate be verified with root CA or grand-parent CA without parent CA
- Java - verifying certificate with system TrustStore
- Verify a signature in Java using OpenSSL generated key and certificate
- Self signed Root CA doesn't work with Java
- OpenSSL verify fails, can't find root certificate
- Certificate chain validation