• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

X509 Client Authorization

 
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have been struggling with implementing a client authorization with x509 certificates. I am able to get server side, SSL, but adding in the client side seems next to impossible. Does you book cover this aspect? We will be the CA for the client on a Win2k server. Specifically, I believe my issue is between proper key generation (on both sides)and proper deployment. Which is the root cert that needs to be in the server truststore and what other certs make up the chain? This is a very confusing topic and, although I've posted and searched the internet, very few seem willing or able to assist.
 
author
Posts: 11962
5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Tom Boyce:
Which is the root cert that needs to be in the server truststore and what other certs make up the chain?

When you've generated a self-signed key for the client, export it from the client's keystore, and import it into the server's keystore. This can be done with 'keytool' that's part of the JDK.
If you don't import the client's certificate into the server's keystore, the server won't trust it because none of the "official" CAs have signed your self-signed certificate and the chain of trust is not there.
 
Ranch Hand
Posts: 4982
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
In the real world case, the root CA is the one that you *MUST* trust. This is one of the assumptions for PKI, otherwise, the whole PKI idea wont work.
So, the 1st interesting question is, how to verify the root CA? The answer is, you have no need to or you cant verify the root CA becos it is already the root, no other CA is above it. Thus, the only way is, the root CA certificate will be signed by itself. Since you always trust the root CA, thus, you trust its signature as well.
Then, for any delicated CAs, you can always verify them by verifying the CA's signature who issue the cert. of the target CA. This forms a certificate path.
For example, if the path is:
root -> CA1 -> CA2 -> CA3 -> server1
If you wanna verify whether server1 is your target server, you check the digital signature from the cert. of server1 with CA3. Then, you check the signature of CA3 with CA2, etc, until you reach the root. As you always trust the root, if you come to the root finally, you then trust the server1.
For another point raised by Lasse, if you have not import the cert of the client, the server is not able to verify the client. However, it depends on your needs.
For example, when you buy a book from Amazon, the focus of you is to identify whether the Amazon website is *true*, and thus, you check its certificate. However, you will discover that Amazon seems never checks your identity. It is becos Amazon dont need to care who you are, it just care whether you paid.
Thus, if your credit card is stolen by others, they can use your card to perform orders. And as this issue become more serious, Visa now required the card holder either register his card for internet used (with limited amount), or need to give a password (or token) before the purchase to perform client anthentication.
Nick
 
Author
Posts: 27
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You may find help in my book, "Enterprise Java Security", which has a long chapter on JSSE explaining all the details.
Marco Pistoia
reply
    Bookmark Topic Watch Topic
  • New Topic