SSL Server Keystore (multiple entries)
[197 byte] By [Michael_OCLCa] at [2007-10-3 2:28:42] 
Hellois it possible to have more than one entry in the servers keystore.For each entry i would create another certificate and pass it to the client.Any idea if it works?
Yes it does. Only one of them will be passed to the client, and that will depend on the protocol negotiated between the client and the server. A certificate that matches the protocol will be sent. Not sure how it is chosen among many matches, quite probably the first match.
ejpa at 2007-7-14 19:27:47 >
Hello
the problem that i have is like following example
Generation of keystore:
keytool -genkey -alias nr1 -keystore keystore -dname "ou=example1"
keytool -genkey -alias nr2 -keystore keystore -dname "ou=example2"
Generation of certificates
keytool -export -keystore keystore -alias nr1 -file nr1.cer
keytool -export -keystore keystore -alias nr2 -file nr2.cer
Generation of truststores for clients:
keytool -import -keystore nr1 -alias nr1 -file nr1.cer
keytool -import -keystore nr2 -alias nr2 -file nr2.cer
And now if i try to connect me to the server only the trusstore nr1 works.
Am i missing something totally?
Michael_OCLCa at 2007-7-14 19:27:47 >
What do you mean by 'only the trusstore nr1 works'?
I would say that is expected behaviour, and corresponds to what I said above. Both server certs have the same properties so the server is probably always choosing the first certificate, so only nr1 works at the client because only nr1 knows about the first server cert.
Why do you think you need two server certs with the same crypto properties?
ejpa at 2007-7-14 19:27:47 >
Hello
if i use nr2 truststore i get the exception
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.secur
y.provider.certpath.SunCertPathBuilder
my situation is as follows
i want to give every client that wan to connect to my serversocket a different certificate file(*.cer).(That clients can be written in any language).
if now a client gets connected to my server i want to resolve by analysing the used certificate which client is connected.
Am i doing something totally wrong at the keygeneration?
>>Both server certs have the same properties
What did you mean with this?
Message was edited by:
Michael_OCLC
Michael_OCLCa at 2007-7-14 19:27:47 >
Then you are doing entirely the wrong thing. You need to do the following:
1. Create a set of client certs, each in a separate keystore.
2. Get them signed (export/signed by CA/reimport), or create them self-signed.
3. Export them to .cer files and import them into the server's truststore.
4. Distribute each keystyore to the corresponding client, and configure each client to treat this file as its keystore.
5. Set the server's SSLServerSocket to needClientAuth = true.
6. Have a single signed cert in the server's keystore, same process as at (1,2).
7. Export that to a .cer file and import it into a single truststore.
8. Distribute that same truststore to all clients and have them all use that file as their truststore.
OK? For non-Java clients you will have to do something different at step 4.
Then, when the server accepts a new connection, get the peer certificate or identity at the server either from the SSLSessionContext or a HandshakeCompletedEvent delivered to a HandshakeCompletedListener.
ejpa at 2007-7-14 19:27:47 >
hm ok i got itthanks for your helpbut why can i use the commandkeytool -generate ....and generate more than one entry into one file?that is very confusing.
Michael_OCLCa at 2007-7-14 19:27:47 >
Why not?
Normally you would do this if you were going to have a lot of variegated clients with different kinds, or levels, of crypto support (e.g. RSA, DSA). In this case you would need to have multiple signed private-key certificates to match all possible client configurations. What happens is this:
1. client sends ClientHello message, incorporating the crypto protocols the client can handle and a random number
2. server replies with ServerHello message, incorporating the ditto that the server can handle and a random number
3. server sends a certificate that matches the intersection of the protocols; in Java this comes from the server's keystore
4. If the server wants the client cert, it sends a CertRequest to the client, and the client responds with its cert chosen as in (3).; in Java this comes from the client's keystore.
5. Any cert that arrives at either end is checked against the local truststore.
So you see there is no sending of multiple certs, just one is sent (in each direction), and it has to match the intersection of the protocols as far as its crypto algorithms and key lengths &c are concerned.
ejpa at 2007-7-14 19:27:47 >
ah ok i understandthanks for your fast help(now i have to implement it in another way)
Michael_OCLCa at 2007-7-14 19:27:47 >
Java Essentials New Topic
Java Essentials Hot Topic
- "Class is not abstract and does not override abstract method isSupported(ja
- How to conver string into date
- Installing device drivers using java
- how to use shell program parameters in java program?
- IllegalArgumentException using write method in nio FileChannel
- Problem using Currency class/methods
- FutureTask.cancel(true) does not work
- about javacode
Java Essentials
All Classified
- Archived Forums
- Enterprise & Remote Computing
- Java Essentials
- Desktop
- Core
- Solaris Operating System
- Security
- Database Connectivity
- Java Mobility Forums
- Web & Directory Servers
- Development Tools
- Application & Integration Servers
- Java HotSpot Virtual Machine
- Other Topics
- E-Mail, Calendar, & Collaboration
- Developer Tools
- General
- Administration Tools
- Sun Hardware
- Storage Forums
- Java Enterprise System
- StarOffice
- Open Source Technologies
- BigAdmin
- Real-Time
- Java Coding