0

I want to a program to verify to create a SSL Sockets using Oracle's SSLSocket class. In my program I want the client to pass its certificate (created using Keytool). The Server should verify the certificate and then proceed with communication. I want the server to check the certificate of each client that connects to it. Suppose that all the key's (server's and client's) are stored in the Keystore. How do I implement this?

Edit:

Forgive me if I am not able to convey my question correctly. I am new to this. I'm reading this link to get some directions. Here, while reading the keystores the server has directly hard-coded the client's key file name (viz "client.public"). However, in my program this will be specified by the client as the server can't know beforehand what the client's public key file name would be.

TheRookierLearner
  • 3,643
  • 8
  • 35
  • 53

1 Answers1

1

You've just described exactly what already happens behind the scenes. All you have to do is create an SSLServerSocket and set needClientAuth to true, and start accepting connections from it as usual. JSSE will do the rest.

user207421
  • 305,947
  • 44
  • 307
  • 483
  • Suppose I'm having 10 clients connecting to a server. How can the server know which client's certificate to ask to the CA (in this case `Keytool` as it'll be managing all the certificates)? Can you give some references please? – TheRookierLearner Apr 25 '13 at 22:53
  • I don't understand the question. A client connects, sends its certificate, the server reads the certificate and checks it against the trust store. For each client. Per connection. – user207421 Apr 25 '13 at 23:20
  • You need to read the JSEE Reference Guide, and re-read the IBM link too. The clients must either have certificates signed by a CA, in which case they will be trusted by the server's truststore automatically, or else they need to export their certificates to the server and have them imported into the server$/ truststore, via some secure offline process. – user207421 Apr 25 '13 at 23:49
  • My certificates are signed by my own CA (CA is common for client and server) and I'm importing the certificate after the client provides me its certificate's name. That's what I'm trying to do and "how to do that" is my question. – TheRookierLearner Apr 25 '13 at 23:56
  • 1
    Then you only need to import your CA's certificate into your server's truststore. Then it will trust all certificates signed by that CA. – user207421 Apr 26 '13 at 00:00
  • let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/28924/discussion-between-therookierlearner-and-ejp) – TheRookierLearner Apr 26 '13 at 00:02
  • Not convenient. This stuff is all documented. I'm not clear what it is that you don't understand. – user207421 Apr 26 '13 at 00:04
  • I'm using `Keytool` to generate the certificates of the clients and server. I don't know what will be the CA in my case and whose certificate to import. – TheRookierLearner Apr 26 '13 at 00:21