This week's book giveaway is in the OCAJP 8 forum. We're giving away four copies of OCA Java SE 8 Programmer I Study Guide and have Edward Finegan & Robert Liguori on-line! See this thread for details.
I would like to start using SATSA PKI to authenticate my users. There is something that i don't understand: in the enrollment process i first need to generate a CSR and then send this CSR to get a signed certificate. But whom exactly do i send it to?
this is the official example from sun:
who is the "CA enrollment server" in reality? Can it be a self-signed Certificate?
The implementation, not your application is responsible for looking up security keys, CA or Certificate Authority is useful for when you want to limit authentication to a small list of allowed keys.
The server is when you want to upload a message to your server and let it verify the signature on the data.
Joined: Jul 12, 2011
I'm not sure i got you right.
for authentication i use CMSMessageSignatureService as you've mentioned. But one parameter of the method authenitcate(...) is the name (DN) of the CA who certified my private key. So in order to use SATSA mechanism, i first have to do the following process:
1 - create a key pair and a Certificate Signing Request (use UserCredentialManager.generateCSR())
2 - Send the CSR to some CA enrollment server and get a certificate as a response.
3 - Store that certificate (use UserCredentialManager.addCredential())
only then i can start using CMSMessageSignatureService.authenticate.
My question is: in step 2, who is that "CA enrollment server"? Can a server of mine act as a "CA enrollment server" and self-sign a CSR and create a certificate? Would the addCredential method accept a self-signed certificate? are there any public "CA enrollment servers"?
Walter Gabrielsen Iii
Joined: Apr 09, 2011
Are you using this with some kind of smart card or similar ID? The reason I ask is because maybe there is a security logo, on the back of the card, or in the fine-print that tells you who is providing the security for that medium so you can verify it using their system.