aspose file tools*
The moose likes Security and the fly likes Retrieve certificates from 3rd party Certificate Authority Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "Retrieve certificates from 3rd party Certificate Authority" Watch "Retrieve certificates from 3rd party Certificate Authority" New topic
Author

Retrieve certificates from 3rd party Certificate Authority

K Aditi
Ranch Hand

Joined: Mar 17, 2008
Posts: 89
Hi All,

I want to connect to a third-party Certificate Authority inorder to obtain an individual's cerificate based on a search criteria (like email id).
I'm looking to download the individual's certificate from the third-party server and use it dynamicaly assuming it is a trusted certificate.I do not want to store the certificate on my local server.
The problem here is how do I obtain the third-party(example VeriSign or Microsoft) Caerificate Authority server's hostname and port to retrieve the cerificates.

Reading Sun's tutorial I came up with this...


Did a lot of googling but could not find a satisfactory answer.
Perhaps my key-words for the search are wrong, as I am completely new in this.
Thanks,


Aditi
Set Cruz
Greenhorn

Joined: Jan 31, 2008
Posts: 26
Hi -
I would call (or email) VeriSign and explain that you user has stored their certificate with them and that you'd like to do an LDAP lookup of this certificate using an email address.
Cheers


SCJP, Oracle PL/SQL Developer
K Aditi
Ranch Hand

Joined: Mar 17, 2008
Posts: 89
Thanks Set, but isn't there a different method?Because:
  • CAs can be added dynamically and arbitrarily
  • I will have to email/call the CA for every new user, which is not feasible.

  • [Edited to add list tag]
    [ July 28, 2008: Message edited by: K Aditi ]
    Set Cruz
    Greenhorn

    Joined: Jan 31, 2008
    Posts: 26
    I understand there is a proverbial "chicken and egg" problem here, if I'm reading your design correctly. To address this, your application may support a collection of certificate authorities, and you may iterate through that collection until one of them returns a certificate chain. If your search returns no certificates then the user interface may ask the user which certificate authority holds their certificate.

    By far the most manageable way to get a certificate chain from a user, however, is to SSL enable the connection to your site.
    K Aditi
    Ranch Hand

    Joined: Mar 17, 2008
    Posts: 89
    The module may support around 3-4 CAs.
    The search criteria like name and email ID as well as the CAs name will be input to it from a different module.
    It's like "Get me the cerificate for XYZ issued by Verisign/Microsoft etc from Verisign/Microsoft CA at the click of a button."

    By far the most manageable way to get a certificate chain from a user, however, is to SSL enable the connection to your site.

    I know SSL theoretically but lack experience of practical application.
    But wouldn't using SSL be more than necessary because cerificates can be viewed by anybody.I just want to retrieve them.Will I have to validate them?
    Thanks,
    Set Cruz
    Greenhorn

    Joined: Jan 31, 2008
    Posts: 26
    I suggest you validate and verify certificate chains. What do you plan to do with the certificates once you retrieve them?
    K Aditi
    Ranch Hand

    Joined: Mar 17, 2008
    Posts: 89
    Perhaps I am asking naive question but why would I want to validate and verify certificates if I want to just store them on my card which is just a storage space?
    Set Cruz
    Greenhorn

    Joined: Jan 31, 2008
    Posts: 26
    Imagine somebody wants to exploit your system. They may hijack your query for a user certificate and return a fairly large binary query result. But you are not validating or verifying so you max out the "storage space", card, etc. From then on, depending on your system, of which I'm just barely learning some details, you may have an availability problem.
    K Aditi
    Ranch Hand

    Joined: Mar 17, 2008
    Posts: 89
    Ok. I see the point.Thanks for the reply. I will get back to you after doing some more research.
    K Aditi
    Ranch Hand

    Joined: Mar 17, 2008
    Posts: 89
    After thinking over and doing some reading I would like to rephrase my question.I would like to retrieve a user certificate from a third-party CA.For this I require an access point of the CA so that I can query the CA for user certificates according to the search criteria.
    By the way, by access point I mean CA server LDAP name or a url etc. where certificates are stored.
    I thought that the CA would provide me with an access point or something when I am granted a certificate after a CSR. But I did not recieve anything of such sort.
    Now how am I to retrieve it from CA using a java code?
    greg stark
    Ranch Hand

    Joined: Aug 10, 2006
    Posts: 220
    CAs do not typically maintain publicly queryable directories of user certificates.


    Nice to meet you.
    K Aditi
    Ranch Hand

    Joined: Mar 17, 2008
    Posts: 89
    I did search for APIs but couldn't find them.
    Do they expose APIs for querying?
    Thanks,
    [ August 07, 2008: Message edited by: K Aditi ]
    K Aditi
    Ranch Hand

    Joined: Mar 17, 2008
    Posts: 89
    I came accross VeriSign Certification Practice Statement(CPS). Section 2.6.3 Access Controls says that
    Information published in the repository portion of the VeriSign web site is publicly-accessible information. Read only access to such information is unrestricted. VeriSign requires persons to agree to a Relying Party Agreement or CRL Usage Agreement as a condition to accessing
    Certificates, Certificate status information, or CRLs.

    This page provides the Relying Party Agreement.
    Further, I believe VeriSign provides a page where one can search for digital certificates issued by VeriSign.
    Am I on right track? Can this be used to programmatically retrieve the certificates?
    greg stark
    Ranch Hand

    Joined: Aug 10, 2006
    Posts: 220
    well, I was wrong. I don't of any other interfaces besides the web one you found, and I don't know about other CAs either.
    K Aditi
    Ranch Hand

    Joined: Mar 17, 2008
    Posts: 89
    Still searching...If not an API then a Web Service perhaps...
     
    With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
     
    subject: Retrieve certificates from 3rd party Certificate Authority