Sending Complete Chain from Common Access Card (CAC)?

views:

183

answers:

+1 Q:

Sending Complete Chain from Common Access Card (CAC)?

I'm attempting to enable SSL communication from a web service client (Axis2) using the certificate on the user's CAC card. Works like a charm....UNTIL the web server is CAC enabled. At that point the SSL connection is rejected with the error message that the other certificates in the chain were not included.

I have ensured that the provider is available, either by adding it to the security.properties file or creating it programatically.

My current approach is to simply set the system properties: System.setProperty("javax.net.ssl.keyStore", "NONE"); System.setProperty("javax.net.ssl.keyStoreType", "PKCS11");

I understand from this question/answer that this approach only sends the "end entity" certificate. Apparently I need to implement my own X509KeyManager. This is new ground for me, can anyone suggest a good reference or provide samples of how to do so?

Appreciate the assistance.

erickson 2009-12-07 22:58:16

If you know the intermediates and control the server you're connecting to then you can add needed intermediates to the server configuration instead of changing the client.

martin 2009-12-08 05:24:42

Possibly. It depends on the server. When a server is misconfigured with an incomplete chain, it isn't unreasonable for clients to treat it as a bug. Likewise, it is reasonable to have the same expectation for client authentication. In this question, the poster has indicated that they control the client, and has asked for help in implementing a key manager—an approach that satisfies the expectation to provide a complete chain.

erickson 2009-12-08 05:45:25

Thanks for the feedback. I'm going to try this out with a regular socket and then figure out how to insert the same change into the Axis2 configuration.

DBCowboy 2009-12-09 20:38:27

ansaurus

tags:

views:

answers:

Sending Complete Chain from Common Access Card (CAC)?

related questions