Suppose I am a java web server application . I want a java client to be able to connect me from a java application by REST on https over the internet.
So I got my CA certificate and add it to my truststore and created my keystore.
My question is : Does the client application have to get anything from me (a file or any other information) in order to be able to establish this connection (regarding this ssl issue I mean) ?
Thank you
If your certificate is signed by CA, client doesn't need anything else. If it is self-signed, client will need same certificate to compare.
Related
I was curious if anyone knew how to implement a Dynamic MTLS solution in Jetty? We have a use case where we need to do device authentication. We want each device to have a different client certificate for security reasons. Is there a way to dynamically pull and validate the server certificate with the one the client sent in? I was combing through the SslContextFactory and ServerConnector java classes, but could not quite figure out which method to override if I extended them. Any help would be greatly appreciated.
The canonical way would be for each device to have a certificate D signed with a server certificate SS.
Note that the server's signing certificate SS may be different (and typically is) from the server's domain certificate.
The server (or a similar authority that you control) emits signed certificates for new devices (a certificate Dn signed with SS).
Basically the server acts as a standard Certificate Authority.
Certificate SS need not to be signed by another authority, as long as it's trusted by the server (i.e. it's in the server TrustStore).
There is no need to extend any Jetty class, just use the standard PKI processes and tools, and then the only thing you need to do is to configure Jetty accordingly.
I would recommend deploying your own PKI and have server and devices certificated issued by your own authority. Simone's answer on using server certificate to sign clients will stop working if you change server certificate and you do not want server certificate with long validity.
I have developed a java application that uses a Signature Pad to capture biometric signatures. The Pad is plugged to the Client computers so i need to run the java controller on each local machines. To do that we run a JAR that contains a Jetty server. We use websockets protocol to start the signature process from the browser and to send data to the Jetty server.
The problem: We need to create a certificate for the websocket secure connection and this certificate must be emitted for 127.0.0.1 since the Jetty server is running on the Client local machines.
If I create a self-signed certificate the solution works fine but some browsers, for example Firefox, does not allow self-signed certs as trusted certs and I doubt that a CA issues a certificate for 127.0.0.1.
So, what would be the best solution? Keep using the self signed cert? Is there any other way?
If you have admin privileges on the POS terminals, how about adding a line to the HOSTS file like:
127.0.0.1 localhost.mycompany.com
Now you can use a real certificate for localhost.mycompany.com in the server application.
(From How can I establish a secure connection to a websocket on localhost?)
I am working in an environment with the following configuration.
A Java server (outside my control) is hosting web services guarded by two-way SSL.
The server truststore contains a specific certificate to trust, instead of an entire CA to trust.
The specific certificate in question is a client certificate that I have access to.
In most cases, the application in question (e.g. SoapUI, Firefox, Chrome) won't send a client certificate to the server, despite one being installed in the local keystore or otherwise installed.
The only success I have had was with using Safari on my mac, as it allowed me to choose which client certificate I wanted to send.
Both the Client and and Server certificates are signed by the same CA, if that matters at all.
Is there any way to make this work without server-side changes?
I am writing an application in GAE java which authenticate the user by its certificate. I have created a self signed certificate using keytool at client side. I also enable the https request in google app engine for my application. The flow of application is every simple. User come at home page of application using any browser and then try to access a resource of application. I just authenticate the user is it has valid certificate. I am missing the part that how this certificate that i created at client side will be sent to the application when user access my application by any browser?? Also How i validate the certificate?? Thanks in advance
I did lot of search and come to these point and sharing it here.
1- In this scenario when i browser connect with the server, sending client certificate is the responsibility of browser. The client certificate should have to configured/install/import in the browser. If you are developing client side then you can code to read certificate from you local machine and embed it in the request and then send it to the server.
2- Browser only send certificate to server when server request for it and server had already sent his certificate to browser and this certificate has been validated by the browser. We have to first configured our server to send certificate to client and also request for client certificate. We can validate the client certificate in our application. we just have to extract certificate from the request.
3- Till now GAE don't provide client certificate service. There is no way we can configured our GAE server to request client certificate. May be there would another way to do this but I didn't find any solution for it. I hope in future GAE will support client certificate authentication.
I have made an applet that creates an SSL socket connection with a Cpp server. I understand a truststore is needed to establish a SSL socket connection with a Java client and SSL server. What my question is about regards how to use Java API code to let the applet know the name and password of the truststore I want to use (say mytruststore). I had some old code that used to work but doesn't anymore due to a recent Java update (probably to patch a security concern)
I understand a truststore is needed to establish a SSL socket connection with a Java client and SSL server.
Only if the server uses a self-signed certificate. If it does, and if you can change that, get it changed, it is poor security practice and it is putting additional complexity and cost into your client. If the server uses a CA-signed certificate the default Java truststore will work.
What my question is about regards how to use Java API code to let the applet know the name and password of the truststore I want to use (say mytruststore).
You don't need the password for a truststore, only for a keystore (i.e. containing a private key). If you really have to include your own truststore, just hardcode its name.