0

I use Java 13 to access a REST service using 2 way authentication with PKCS11 tokens. This server has no specification regarding the client certificate so all certificates installed on the client system match on the initial SSL handshake and Java seems to autoselect a certificate that is not registered on the server so the communication is not established.

I use Windows-My keystore in Java and the basic code is:

KeyStore keystorePkcs11 = KeyStore.getInstance("Windows-MY");
keystorePkcs11.load(null, null);
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("sunx509");
keyManagerFactory.init(keystorePkcs11, null);
SSLContext context = SSLContext.getInstance("TLSv1.2");
context.init(keyManagerFactory.getKeyManagers(), trustAllCerts, new SecureRandom());

I can't find any reference to how to select a certificate, as a bad workaround I delete the wrong certificates but this makes them disappear from Windows, InternetExplorer, Tools/Internet Options, tab Certificates.

How do I select a single certificate from Windows for communication with a server?

Victorqedu
  • 484
  • 4
  • 20
  • 1
    Instead of using the default `X509KeyManager` from `KeyManagerFactory`, write your own implementation (or optionally `X509ExtendedKeyManager` especially if you are using or may use `SSLEngine`) where `chooseClientAlias` returns the alias of the keystore entry to use, possibly as a wrapper to the default one. It's documented as an API (or tree of them) so that you can do that. – dave_thompson_085 May 29 '22 at 12:26
  • 1
    E.g. see https://stackoverflow.com/questions/39996178/when-using-a-custom-x509keymanager-java-is-not-able-to-determine-a-matching-ciph https://stackoverflow.com/questions/9179717/using-more-than-one-key-pair-in-ssl-socket-factory-connection/9182713 – dave_thompson_085 May 29 '22 at 12:38

0 Answers0