1

I have added two certificates into my server's(jboss) keystore with domain name in both as "localhost". So now if a local client accesses the server which of the certificates will be sent to the client.
There is no error thrown in jboss, and it is working fine. I just want to know how jboss is choosing which certificate to send?

Listing the contents of the truststore used by java program.

Your keystore contains 2 entries

tomcat, 5 Mar, 2012, trustedCertEntry,
Certificate fingerprint (SHA1): B0:F0:98:5F:E5:D0:D6:24:58:B6:38:07:97:38:95:D5:
AB:28:E1:1E
tomcat1, 6 Mar, 2012, trustedCertEntry,
Certificate fingerprint (SHA1): C4:2B:E8:14:F9:85:5A:05:F2:1F:58:AE:65:FB:0E:8F:
DD:23:97:87


both tomcat and tomcat1 have the cn=localhost
Listing the contents of the keysttore used by jboss.
Keystore type: JKS Keystore provider: SUN

Your keystore contains 2 entries

tomcat, 5 Mar, 2012, PrivateKeyEntry,
Certificate fingerprint (SHA1): B0:F0:98:5F:E5:D0:D6:24:58:B6:38:07:97:38:95:D5:
AB:28:E1:1E
tomcat1, 6 Mar, 2012, PrivateKeyEntry,
Certificate fingerprint (SHA1): C4:2B:E8:14:F9:85:5A:05:F2:1F:58:AE:65:FB:0E:8F:
DD:23:97:87<br>


Displaying the keystore entry using th keytool's list "-v" option asper Kevin's request.

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: tomcat
Creation date: 5 Mar, 2012
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=localhost
Issuer: CN=localhost
Serial number: 5aaac34c
Valid from: Mon Mar 05 15:04:46 IST 2012 until: Sun Jun 03 15:04:46 IST 2012
Certificate fingerprints:
         MD5:  6A:9D:10:37:4F:98:7F:85:D5:93:95:CC:C3:84:07:D8
         SHA1: B0:F0:98:5F:E5:D0:D6:24:58:B6:38:07:97:38:95:D5:AB:28:E1:1E
         SHA256: FB:F5:BC:9F:17:E9:28:8C:77:1B:40:17:8B:D3:12:71:05:0D:CF:9C
99:00:C4:25:76:46:CE:E0:0C:E6:6B
         Signature algorithm name: SHA256withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: F6 B3 2E B5 A0 76 78 7E   9D B6 2A D6 4A 6A 8D 96  .....vx...*.Jj..
0010: FA 7D 47 9B                                        ..G.
]
]



*******************************************
*******************************************


Alias name: tomcat1
Creation date: 6 Mar, 2012
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=localhost
Issuer: CN=localhost
Serial number: 4891416
Valid from: Tue Mar 06 06:41:21 IST 2012 until: Mon Jun 04 06:41:21 IST 2012
Certificate fingerprints:
         MD5:  B9:31:FE:75:E9:28:E6:BC:F2:94:60:93:7B:0C:00:63
         SHA1: C4:2B:E8:14:F9:85:5A:05:F2:1F:58:AE:65:FB:0E:8F:DD:23:97:87
         SHA256: 58:7B:D3:A1:2C:8E:C1:C9:26:0A:9F:A1:86:D1:79:76:34:D2:83:6A
88:0C:E1:36:F5:88:3F:DC:F7:D7:89
         Signature algorithm name: SHA256withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: F1 BF 69 B4 CA D6 9E 72   AC C3 26 9F CD 57 58 7A  ..i....r..&..WXz
0010: 62 19 8B B8                                        b...
]
]



*******************************************
*******************************************
Ashwin
  • 12,691
  • 31
  • 118
  • 190

2 Answers2

1

By default, JBoss (or Apache Tomcat) will use the default settings the default X509KeyManager to choose which certificate to use: it will pick the first one it finds in the keystore that is valid for the type of key (e.g. RSA for an RSA-based cipher suite) and at the time of connection.

Failing that, if an alias is explicitly specified in keyAlias, it will pick the certificate in that alias (and it will fail if the key type isn't correct).

If, instead of this, the name of a custom class implementing SSLImplementation is given in the SSLImplementation attribute, it will be used to provide the SSLSocketFactory (so the alias choice will be done however its SSLContext/KeyManager is configured).

Support for Server Name Indication (SNI), which is what would allow the key manager to use the requested host name to help make a choice, was only introduced in Java 7, and only on the client side, so the JSSE cannot use it on the server side currently.

Bruno
  • 119,590
  • 31
  • 270
  • 376
1

What exactly are you trying to achieve ? The certs are stored in the keystore and presented to the user based on hostname match. This is incorrect, please see below.

Logically speaking it would load only one of these which in turn will be served to the user.

--Edit--
Trying to simplify by pointing to another link

  1. Say you specify "keyAlias" in your jboss configuration to "tomcat" ; then the tomcat alias will be picked up
  2. If you do not specify an alias then the "first key read in the keystore will be used"
souser
  • 5,868
  • 5
  • 35
  • 50
  • I know that and that is what is happening. As I have mentioned in my question that it is working perfectly fine. I had expected it to show an error. – Ashwin Mar 06 '12 at 02:42
  • Gave it some more thought and am curious to know whether the store actually displays two certs. When you import the second cert (with the same name), it would override the first. Can you display the contents of the keystore ? – souser Mar 06 '12 at 05:54
  • :I will check that and let you know. – Ashwin Mar 06 '12 at 07:05
  • I am replying a bit late but this is what is happening. The store actually displays the two certificates. It does not overwrite the certificate when you import the second one. See my question. – Ashwin Mar 11 '12 at 06:24
  • I have edited my question with the trustore and keystore details – Ashwin Mar 11 '12 at 07:10
  • Can you display the contents of the keystore using the "-v" option of keytool ? Not the truststore, just the keystore. – souser Mar 11 '12 at 07:34
  • I have edited my question to display the contents of the keystore using "-v" option of the keytool. As I said both the entrys have "cn=localhost" – Ashwin Mar 11 '12 at 07:56
  • Very interesting and I dont have an answer. Obviously only one will be picked up but the question is which one and what logic does it use to decide that. Need to spend time on google :) – souser Mar 11 '12 at 17:43
  • The answer already existed ... on stackoverflow itself :) http://stackoverflow.com/questions/6370745/can-we-load-multiple-certificates-keys-in-a-key-store – souser Mar 11 '12 at 18:16
  • I seriously don't get what is given in the link that you said I would find the answer in. Can you please explain it or atleast tell me what you concluded from it. – Ashwin Apr 19 '12 at 11:24
  • @Kevin, the certs are not presented to the user based on the host name match, they're presented to the user based on the alias only. – Bruno Apr 20 '12 at 13:43
  • @Ashwin - Go over the link I sent earlier ; its in the Connector element. – souser Apr 21 '12 at 16:48