I have been struggling with implementing a client authorization with x509 certificates. I am able to get server side, SSL, but adding in the client side seems next to impossible. Does you book cover this aspect? We will be the CA for the client on a Win2k server. Specifically, I believe my issue is between proper key generation (on both sides)and proper deployment. Which is the root cert that needs to be in the server truststore and what other certs make up the chain? This is a very confusing topic and, although I've posted and searched the internet, very few seem willing or able to assist.
Lasse Koskela
author
Sheriff
Joined: Jan 23, 2002
Posts: 11945
posted
0
Originally posted by Tom Boyce: Which is the root cert that needs to be in the server truststore and what other certs make up the chain?
When you've generated a self-signed key for the client, export it from the client's keystore, and import it into the server's keystore. This can be done with 'keytool' that's part of the JDK. If you don't import the client's certificate into the server's keystore, the server won't trust it because none of the "official" CAs have signed your self-signed certificate and the chain of trust is not there.
In the real world case, the root CA is the one that you *MUST* trust. This is one of the assumptions for PKI, otherwise, the whole PKI idea wont work. So, the 1st interesting question is, how to verify the root CA? The answer is, you have no need to or you cant verify the root CA becos it is already the root, no other CA is above it. Thus, the only way is, the root CA certificate will be signed by itself. Since you always trust the root CA, thus, you trust its signature as well. Then, for any delicated CAs, you can always verify them by verifying the CA's signature who issue the cert. of the target CA. This forms a certificate path. For example, if the path is: root -> CA1 -> CA2 -> CA3 -> server1 If you wanna verify whether server1 is your target server, you check the digital signature from the cert. of server1 with CA3. Then, you check the signature of CA3 with CA2, etc, until you reach the root. As you always trust the root, if you come to the root finally, you then trust the server1. For another point raised by Lasse, if you have not import the cert of the client, the server is not able to verify the client. However, it depends on your needs. For example, when you buy a book from Amazon, the focus of you is to identify whether the Amazon website is *true*, and thus, you check its certificate. However, you will discover that Amazon seems never checks your identity. It is becos Amazon dont need to care who you are, it just care whether you paid. Thus, if your credit card is stolen by others, they can use your card to perform orders. And as this issue become more serious, Visa now required the card holder either register his card for internet used (with limited amount), or need to give a password (or token) before the purchase to perform client anthentication. Nick
0
