On 7/12/2011 9:59 AM, David Pomeroy wrote: > Hi Xuelei, > > The requirement is to keep the client certificate as small as possible. > I'd rather not have to store the sub CA certificate on the client. > > I see that the server is sending a "certificate request" as part of the > TLS handshake protocol. The DNs of the trusted certificates are > specified in the request. > > It looks like the Sun JSSE provider does not support this > configuration. Can you confirm? > It depends.
If there is no way to build a certification path to the trusted certificates sent by server, Oracle JSSE provider, SunJSSE, cannot work by default. JSSE is an flexible framework, you can do a lot of customization. Please refer to JSSE reference guide if you want change the default behaviors of SunJSSE, http://download.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html. Xuelei > Thanks, Dave > > > On Mon, Jul 11, 2011 at 6:21 PM, Xuelei Fan <[email protected] > <mailto:[email protected]>> wrote: > > Hi Dave, > > What's the underlying requirements that the client cannot send a full > certification path? That's not the way TLS works. > > You may be also interesting in the post, "Best Practice: to Include the > Complete Certificate Chain in the KeyStore", > http://sim.ivi.co/2011/06/best-practice-to-include-compelete.html > > Regards, > Xuelei > > On 7/12/2011 7:13 AM, David Pomeroy wrote: > > Hello All, > > > > I'm trying to figure out if a certain security configuration is > > supported in openJDK or not. > > > > I want to do client authentication at the server with one trusted root > > self-signed anchor certificate. Then I want the client to send up > only > > a client certificate, that was issued by a subordinate CA. I want to > > use the "PKIX" TrustManagerFactory to accomplish this. > > > > The client authentication succeeds when the subordinate CA certificate > > is added to the truststore used to initialize the > PKIXBuilderParameters > > that is fed into the TrustManagerFactory. However, the subordinate CA > > is not a root (self-signed) certificate and the PKIXCertPathValidator > > doesn't seem to care about that. This doesn't meet my requirements, > > since the client cert path is not built all the way up to a root > > certificate. > > > > If I do not include the subordinate CA certificate in the truststore, > > the client cannot connect and it doesn't seem like the validator is > > invoked at all. I know I would have to include the sub CA certificate > > somehow but I'm not sure how to do this. > > > > Is this configuration even supported? I have tried openJDK 6 and 7, > > same results with each. > > > > I imagine if the client sent up the sub CA certificate as well as the > > client certificate, the chain would be validated from the root all the > > way down. However, this is not the desired configuration. > > > > Any help here would be appreciated. > > > > Thanks! > > Dave P > >
