I am writing an application in GAE java which authenticate the user by its certificate. I have created a self signed certificate using keytool at client side. I also enable the https request in google app engine for my application. The flow of application is every simple. User come at home page of application using any browser and then try to access a resource of application. I just authenticate the user is it has valid certificate. I am missing the part that how this certificate that i created at client side will be sent to the application when user access my application by any browser?? Also How i validate the certificate?? Thanks in advance
I did lot of search and come to these point and sharing it here.
1- In this scenario when i browser connect with the server, sending client certificate is the responsibility of browser. The client certificate should have to configured/install/import in the browser. If you are developing client side then you can code to read certificate from you local machine and embed it in the request and then send it to the server.
2- Browser only send certificate to server when server request for it and server had already sent his certificate to browser and this certificate has been validated by the browser. We have to first configured our server to send certificate to client and also request for client certificate. We can validate the client certificate in our application. we just have to extract certificate from the request.
3- Till now GAE don't provide client certificate service. There is no way we can configured our GAE server to request client certificate. May be there would another way to do this but I didn't find any solution for it. I hope in future GAE will support client certificate authentication.
Related
I am rather new to Spring Boot and SSL. I have developed a SSL rest web server with server keystore, private key, server CA and that correctly handles mutual X.509 certificate authentication. I have tested, that works HTTPS requests with Postman and also Python Client and everything working correctly, both the server and client are successfully exchanging and validating each others certificates.
But my scenario is little bit different,
I have created and connected one Postgresql database to my spring boot application and I have created entities of tables with specific ID numbers and also REST endpoints which you can create, get entity etc.
So my scenario is following;
Python Client comes with specific ID number and makes a request
to one REST Endpoint which is available for everybody (permitted by server).
Spring Boot Server checks that ID number in database and creates a Client Certificate to the Python Client (which I am stucked right now.) and sends this certificate to Client.
After Sending the Client Certificate, Client can use it and communicate Server with Certificate
So question is following;
Is that possible to create a client certificate in runtime in java? If yes, how I can create it and send back to client?
Thank you for your time and response.
I have found the solution. If somebody needs similar solution, you can the following steps;
Create public endpoint in spring boot which you can take the given id number
Compare with your database and if it id number existed call an .sh file (use process)
In this .sh file, use openssl commands to generate a key, remove the passphrase from the key (if you used it), create a client certificate request and finally sign the certificate.
Finally send this signed certificate and private key back to client.
After all, your client can use your signed certificate with private key and use your secured endpoints.
Suppose I am a java web server application . I want a java client to be able to connect me from a java application by REST on https over the internet.
So I got my CA certificate and add it to my truststore and created my keystore.
My question is : Does the client application have to get anything from me (a file or any other information) in order to be able to establish this connection (regarding this ssl issue I mean) ?
Thank you
If your certificate is signed by CA, client doesn't need anything else. If it is self-signed, client will need same certificate to compare.
I have developed a java application that uses a Signature Pad to capture biometric signatures. The Pad is plugged to the Client computers so i need to run the java controller on each local machines. To do that we run a JAR that contains a Jetty server. We use websockets protocol to start the signature process from the browser and to send data to the Jetty server.
The problem: We need to create a certificate for the websocket secure connection and this certificate must be emitted for 127.0.0.1 since the Jetty server is running on the Client local machines.
If I create a self-signed certificate the solution works fine but some browsers, for example Firefox, does not allow self-signed certs as trusted certs and I doubt that a CA issues a certificate for 127.0.0.1.
So, what would be the best solution? Keep using the self signed cert? Is there any other way?
If you have admin privileges on the POS terminals, how about adding a line to the HOSTS file like:
127.0.0.1 localhost.mycompany.com
Now you can use a real certificate for localhost.mycompany.com in the server application.
(From How can I establish a secure connection to a websocket on localhost?)
I am working in an environment with the following configuration.
A Java server (outside my control) is hosting web services guarded by two-way SSL.
The server truststore contains a specific certificate to trust, instead of an entire CA to trust.
The specific certificate in question is a client certificate that I have access to.
In most cases, the application in question (e.g. SoapUI, Firefox, Chrome) won't send a client certificate to the server, despite one being installed in the local keystore or otherwise installed.
The only success I have had was with using Safari on my mac, as it allowed me to choose which client certificate I wanted to send.
Both the Client and and Server certificates are signed by the same CA, if that matters at all.
Is there any way to make this work without server-side changes?
I have a Java application running on Tomcat and the application needs to consume a WCF service that requires client certificate authentication . I have the keystores and truststores configured on the client side and I have confirmed that the request is getting sent to IIS, however I'm getting an "unauthorized" error message from IIS logs. I'm wondering if there is any specific Tomcat configuration required in order to allow sending a client certificate from the client?
Thanks in advance.
It's the application code that is calling the WCF service, right? In that case, I don't think Tomcat configuration is what you need - Tomcat's SSL configuration is about what SSL authentication happens when browsers and other web clients connect to the Tomcat server and its applications, not about what happens when the applications are themselves clients to other network services. Rather, the application code calling the service needs to use an SSLContext created with the proper keystore, which will need to hold both the private key and certificate presented to the server for client authentication, and the certificates needed to authenticate the certificate presented by the WCF service.