Hi Dave, What's the underlying requirements that the client cannot send a full certification path? That's not the way TLS works.
You may be also interesting in the post, "Best Practice: to Include the Complete Certificate Chain in the KeyStore", http://sim.ivi.co/2011/06/best-practice-to-include-compelete.html Regards, Xuelei On 7/12/2011 7:13 AM, David Pomeroy wrote: > Hello All, > > I'm trying to figure out if a certain security configuration is > supported in openJDK or not. > > I want to do client authentication at the server with one trusted root > self-signed anchor certificate. Then I want the client to send up only > a client certificate, that was issued by a subordinate CA. I want to > use the "PKIX" TrustManagerFactory to accomplish this. > > The client authentication succeeds when the subordinate CA certificate > is added to the truststore used to initialize the PKIXBuilderParameters > that is fed into the TrustManagerFactory. However, the subordinate CA > is not a root (self-signed) certificate and the PKIXCertPathValidator > doesn't seem to care about that. This doesn't meet my requirements, > since the client cert path is not built all the way up to a root > certificate. > > If I do not include the subordinate CA certificate in the truststore, > the client cannot connect and it doesn't seem like the validator is > invoked at all. I know I would have to include the sub CA certificate > somehow but I'm not sure how to do this. > > Is this configuration even supported? I have tried openJDK 6 and 7, > same results with each. > > I imagine if the client sent up the sub CA certificate as well as the > client certificate, the chain would be validated from the root all the > way down. However, this is not the desired configuration. > > Any help here would be appreciated. > > Thanks! > Dave P
