2

I am trying to run a Java client with 2way SSL, which uses CAC card as keystore for the client. I have added the following system property in my client program to make it work and also changed the java.security file to add pcks11 provider.

System.setProperty("javax.net.ssl.keyStoreType", "pkcs11");
System.setProperty("javax.net.debug", "ssl");

The program works fine and the handshake is done successfully. However, when I have more than one trusted certificate in the CAC card, it takes the default certificate. I want to specify which certificate should be used to do the client auth (maybe by specifying the alias name), but I didn't find any system property to do that.

How can I specify the alias name as a system property, so that the 2way SSL will use it for the client auth?

Is there another way to specify the alias name? For example, when I access the server URL from any browser I would get a certificate selection prompt and the connection is established with the selected certificate.

Cray
  • 2,774
  • 7
  • 22
  • 32
Thangaraj P
  • 21
  • 1

2 Answers2

0

For choosing a client certificate, the default implementation (sun.security.ssl.X509KeyManagerImpl, assuming you're using the Sun JRE) chooses the first certificate that it can use for the request.

PKCS#11 is a slightly specific case. As far as I'm aware, there would only be one private key + certificate chain per slot. If no slot is specified in your PKCS#11 provider configuration, the default one will be 0.

Bruno
  • 119,590
  • 31
  • 270
  • 376
  • Thanks Bruno for your response. In my case, I am using a CAC card which has more than one trusted certificate in it. My question is to select one particular certificate for handshake. Let me know is there a way to do this. – Thangaraj P Jul 14 '10 at 08:51
  • What does your PKCS#11 configuration look like? – Bruno Jul 14 '10 at 08:52
  • In Some forum I got the info that writing a CustomKeyfactory would resolve the issue , AxisProperties.setProperty("axis.socketSecureFactory","com.ssl.MySSLSocketFactory"); But I never get a call back to get the key factory or the context in the custom key factory. Any idea? – Thangaraj P Jul 14 '10 at 09:49
  • If you're using a PKCS#11 provider, it will most likely be configurable by the `slot` option in your PKCS#11 configuration file (configured with the provider). If you don't provide more details about the config, it's hard to tell... I doubt `axis.socketSecureFactory` is where to choose the cert from the PKCS#11 token. – Bruno Jul 14 '10 at 10:40
0

As there is no specific property in java ssl properties it is better to search for a different existing keymanager implementation which supports this or else write your own custom keymanager so that you can pick the specific certificate with it's alias name.

Thanks, Sunny.

Dungeon Hunter
  • 19,827
  • 13
  • 59
  • 82