complete certificate path validation
Xuelei Fan
xuelei.fan at oracle.com
Tue Jul 12 01:21:13 UTC 2011
Hi Dave,
What's the underlying requirements that the client cannot send a full
certification path? That's not the way TLS works.
You may be also interesting in the post, "Best Practice: to Include the
Complete Certificate Chain in the KeyStore",
http://sim.ivi.co/2011/06/best-practice-to-include-compelete.html
Regards,
Xuelei
On 7/12/2011 7:13 AM, David Pomeroy wrote:
> Hello All,
>
> I'm trying to figure out if a certain security configuration is
> supported in openJDK or not.
>
> I want to do client authentication at the server with one trusted root
> self-signed anchor certificate. Then I want the client to send up only
> a client certificate, that was issued by a subordinate CA. I want to
> use the "PKIX" TrustManagerFactory to accomplish this.
>
> The client authentication succeeds when the subordinate CA certificate
> is added to the truststore used to initialize the PKIXBuilderParameters
> that is fed into the TrustManagerFactory. However, the subordinate CA
> is not a root (self-signed) certificate and the PKIXCertPathValidator
> doesn't seem to care about that. This doesn't meet my requirements,
> since the client cert path is not built all the way up to a root
> certificate.
>
> If I do not include the subordinate CA certificate in the truststore,
> the client cannot connect and it doesn't seem like the validator is
> invoked at all. I know I would have to include the sub CA certificate
> somehow but I'm not sure how to do this.
>
> Is this configuration even supported? I have tried openJDK 6 and 7,
> same results with each.
>
> I imagine if the client sent up the sub CA certificate as well as the
> client certificate, the chain would be validated from the root all the
> way down. However, this is not the desired configuration.
>
> Any help here would be appreciated.
>
> Thanks!
> Dave P
More information about the security-dev
mailing list