After fulfilling the cert request on the server then sending the
resulting cert back to the client, the serve does not need to to
anything else with the cert at that point, since it was created with the
CA and the server's truststore trusts all certs from that CA, correct?
Also, how does revocation work on individual certificates? For
instance I have issued 10 certs signed by my CA, so how do I revoke 1 or
many of them and not simply "untrust" the entire CA?
Thanks again..
Chris
On 5/19/2011 1:40 PM, Dennis Sosnoski wrote:
Hi Chris,
It sounds like you might be best off using your own Certificate
Authority. That way you'd only need to import the CA's signing
certificate into your trust store, not every individual client
certificate (and if you configure it correctly, *only* certificates
signed by that CA will be accepted by the server).
The safest way to manage the certificates is to generate the
public/private key pair on the client, then export a certificate request
containing the generated public key (Java's keytool or any number of
other programs will allow you to do this). The owner of the client
system can then just email the certificate request to the CA
administrator, and if the owner's request is valid the CA can email back
a certificate. The owner of the client system would then need to import
the certificate into their keystore (where they saved the private key
that matched the certificate request), and use that keystore for the
SSL/TLS connection.
If you do a search you should find plenty of information to set this up.
I think Glen Mazza had a blog posting about using OpenSSL for your own
CA a while ago, so you might want to start there (keeping this in the
CXF family ;-) ).
- Dennis
Dennis M. Sosnoski
Java SOA and Web Services Consulting<http://www.sosnoski.com/consult.html>
Axis2/CXF/Metro SOA and Web Services Training
<http://www.sosnoski.com/training.html>
Web Services Jump-Start<http://www.sosnoski.com/jumpstart.html>
On 05/20/2011 07:51 PM, Chris Richmond wrote:
I have succesfully tested a CXF based service and client in java using
2 way SSL in code only(no spring), following this example:
http://aruld.info/programming-ssl-for-jetty-based-cxf-services/
Now, I am simply reusing the same keystores/truststores from the cxf
example but I am having difficulty figuring out the workflow for
securing my own service. What I want to achieve is having a 2 Way SSL
cxf web service which i will generate certs for on the server side,
then the administrator will hand out those certs to trusted developers
and make an entry in the server's trust store for those certs? That
cert can be used by client developers to submit with their requests
for 2 way SSL.
I *think* the workflow will be like this, but I need advice on this.
create a keystore on the server machine.
create a truststore on the server machine.
generate a key in the keystore for a particular client to use/
export that key's certificate and import that cert into the server's
truststore so that server will trust/allow any clients using that cert
access.
hand out that cert to client developer via email, thumbdrive, etc(not
important how)
the client puts that cert into their keystore? Truststore?
The client needs to have a keystore and truststore as wel does it not?
But I'm not exactly sure what/where the client needs to put that cert
in order to call the server via CXF. The example I used above has
prebuild key/truststores for client/server but has no instruction on
how they were built and what exactly is being accessed in each one in
that code.
Then I was thinking that the server admin can remove a cert from their
truststore(or revoke?) in case he thinks that cert has been compromised .
Is my thinking on this correct? Assuming the server side is correct,
what does a new client developer have to do keystore/trustore wise in
order to effectively use that cert?
Thanks very much,
Chris
