Enforcing selection of cert with CA is a smart idea.
I'll definitely go through the thread you mentioned.
Thanks.
Jian
Stuart Miller
<[EMAIL PROTECTED] To: "'[EMAIL PROTECTED]'"
<[EMAIL PROTECTED]>
com> cc:
Subject: RE: how to sepcify
certificate alias
11/02/2004 05:11
AM
Please respond to
axis-user
Jian, I'm afraid you cannot. Not even at the SSL level can you do this,
unless you write your own KeyManager.
When the SSL connection is made, the server will send a list of Issuer DN's
which are acceptable, so that the client will decide this way which cert he
can present (the decision is also based on algorithms I think). If there
is
more than one possible cert to use, you don't have control over which is
selected. If you control the server-side, then you could remove the root
CA's from the trustStore to leave only 1, thereby forcing the client to
select the cert issued by that CA. If, however, your client has 2 certs
from the same CA, then again... you don't have the control you want.
For more information, follow a thread I started in this list on Dec 17
2003,
called "SecureSocketFactory pluggability?". I have the same problem.
Good luck,
Stuart
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Tuesday 10 February 2004 20:53
To: [EMAIL PROTECTED]
Subject: how to sepcify certificate alias
I have two applications that access a web service. We use HTTPS for
authenticatoin and encryption.
We can get these applications access the service with one certificate
stored in one keystore file,
but we want them to use two different certificats. The two certificates can
be saved in one keystore file.
Both applications run inside the same application server instance (JVM).
The problem is that we can use system property to specify where the
keystore file is, but I can not find
in JSSE document how a certificate alias is specified to tell which
applicaiton is using which certificate.
Any idea?
Thanks
Jian
