The secret of how to be miserable is to constantly expect things are going to happen the way that they are "supposed" to happen.
You can have faith, which carries the understanding that you may be disappointed. Then there's being a willfully-blind idiot, which virtually guarantees it.
The secret of how to be miserable is to constantly expect things are going to happen the way that they are "supposed" to happen.
You can have faith, which carries the understanding that you may be disappointed. Then there's being a willfully-blind idiot, which virtually guarantees it.
Gokul Cj wrote:Please help me with this doubts. It would be great help for me to understand this. I am stuck at this for past one week and Thanks in Advance.
The secret of how to be miserable is to constantly expect things are going to happen the way that they are "supposed" to happen.
You can have faith, which carries the understanding that you may be disappointed. Then there's being a willfully-blind idiot, which virtually guarantees it.
Stephan van Hulst wrote:You use the key tool to generate the CA's key store and to import the CA's certificate into the API's trust store.
You use code in the client to generate the client's key pair.
You use code in the CA to generate and sign a client certificate from the client's public key.
You don't need code to verify the client certificate in the API. You can just let Tomcat do it.
If I'm interpreting the BouncyCastle API correctly, to generate a client certificate you set the certificate info using the following methods:
setSubjectDN() to set the client's distinguished name. setPublicKey() to set the client's public key. setNotBefore() and setNotAfter() to set the validity of the certificate. Keep the validity short, maybe a few hours or days. setIssuerDN() to set the distinguished name of your CA. This must match the subject DN of the CA's own certificate.
Then, call generate() using the private key associated with the CA's certificate.
Gokul Cj wrote:And how this validation occurs internally. What parameters are checked by the server during validation?
The secret of how to be miserable is to constantly expect things are going to happen the way that they are "supposed" to happen.
You can have faith, which carries the understanding that you may be disappointed. Then there's being a willfully-blind idiot, which virtually guarantees it.
Stephan van Hulst wrote:You use the key tool to generate the CA's key store and to import the CA's certificate into the API's trust store.
You use code in the client to generate the client's key pair.
You use code in the CA to generate and sign a client certificate from the client's public key.
You don't need code to verify the client certificate in the API. You can just let Tomcat do it.
If I'm interpreting the BouncyCastle API correctly, to generate a client certificate you set the certificate info using the following methods:
setSubjectDN() to set the client's distinguished name. setPublicKey() to set the client's public key. setNotBefore() and setNotAfter() to set the validity of the certificate. Keep the validity short, maybe a few hours or days. setIssuerDN() to set the distinguished name of your CA. This must match the subject DN of the CA's own certificate.
Then, call generate() using the private key associated with the CA's certificate.
Gokul Cj wrote:How can I get the private key from the CA's certificate?
The secret of how to be miserable is to constantly expect things are going to happen the way that they are "supposed" to happen.
You can have faith, which carries the understanding that you may be disappointed. Then there's being a willfully-blind idiot, which virtually guarantees it.
Stephan van Hulst wrote:You use the key tool to generate the CA's key store and to import the CA's certificate into the API's trust store.
You use code in the client to generate the client's key pair.
You use code in the CA to generate and sign a client certificate from the client's public key.
You don't need code to verify the client certificate in the API. You can just let Tomcat do it.
If I'm interpreting the BouncyCastle API correctly, to generate a client certificate you set the certificate info using the following methods:
setSubjectDN() to set the client's distinguished name. setPublicKey() to set the client's public key. setNotBefore() and setNotAfter() to set the validity of the certificate. Keep the validity short, maybe a few hours or days. setIssuerDN() to set the distinguished name of your CA. This must match the subject DN of the CA's own certificate.
Then, call generate() using the private key associated with the CA's certificate.
Gokul Cj wrote:... I sent a certificate in postman for testing the API but it allows access even without certificate. I have also made ssl configuratons in server.xml file of Tomcat but I do know where I have done the mistake.
Ron McLeod wrote:
You probably also need to configure the truststorefile to point to the keystore which contains the certificate for the CA which signed the client certificate, or create another store which holds the CA's cert.
The secret of how to be miserable is to constantly expect things are going to happen the way that they are "supposed" to happen.
You can have faith, which carries the understanding that you may be disappointed. Then there's being a willfully-blind idiot, which virtually guarantees it.
Gokul Cj wrote:Can I use keyPair to setPublicKey() ?
Gokul Cj wrote:I just want to understand
and use it for personal use.
This is what I want to do
...
Please Explain the each steps in a single reply.
Is there any possibility of verifying a self-signed certificate on the client's side?
We've already explained each step. There is no new information. If you want new information, you need to tell us what you don't understand about our previous explanations.
Also, you haven't told us yet what you meant by:
Is there any possibility of verifying a self-signed certificate on the client's side?
Why do you want to do this?
Stephan van Hulst wrote:You use the key tool to generate the CA's key store and to import the CA's certificate into the API's trust store.
Stephan van Hulst wrote:You use code in the client to generate the client's key pair.
Stephan van Hulst wrote:You don't need code to verify the client certificate in the API. You can just let Tomcat do it.
Try 100 things. 2 will work out, but you will never know in advance which 2. This tiny ad might be one:
We need your help - Coderanch server fundraiser
https://coderanch.com/wiki/782867/Coderanch-server-fundraiser
|