views:

231

answers:

1

I can't understand general scheme using certificates. For example: I have account on the some website. I have name and password. What should I do to login to this site? - I should open _https://website:443/login and fill out fields, and if all is ok, I'll obtain admittance.

Now, I would like to perform these steps programmatically usin java + httpclient(apache). I've written:

client = new DefaultHttpClient();

client.getParams().setParameter(ClientPNames.COOKIE_POLICY, 
                                CookiePolicy.BEST_MATCH);
client.setCookieStore(new BasicCookieStore());
client.getCredentialsProvider()
      .setCredentials(new AuthScope(ADDRESS, new Integer(PORT)),
                      new UsernamePasswordCredentials(USERNAME, USERPWD));

And I should create trustStore with server's certificate:

System.setProperty("javax.net.ssl.trustStore", "./KeyStore/myca");

where 'myca' were made with 'InstallCert.java' - Sun's product.

But I would like to perform all this steps programmatically, like Browser(FFox, or Opera) import server's certificate...User just want to use only my application, not a set of additional application.

How can I do perform it?

And now, the main problem: why do servers not require user's certificate? And how do I can use my own certificate to authenticate? (If I have user's certificate I will not need 'name''password' to login to server?)

+3  A: 

why do servers not require user's certificate?

Servers do not require user certificates, because most users don't have one, don't now what it is and how to get one. And even if they would, such a certificate is either difficult or expensive to obtain, so many user won't get one.

So any server requiring a client certificate would reduce the number of users probably by a factor of 1000. Most server owners don't want that.

If I have user's certificate I will not need 'name''password' to login to server?

Depends on your requirements. Requiring a certificate + username/password would be considered a two factor authentication, which is a stronger form of protection, then just requiring one factor. It would get even stronger by asking for some kind of biometric identification.

How can I do perform it?

Perform exactly what? You are talking about doing things "programmatically", but you already present code ...?

And how do I can use my own certificate to authenticate?

This should be done in the configuration of your server. You need to setup a trust store containing the trustet root certificates + require client authenticatication in the ssl configuration. e.g search here for clientauth.

Jens Schauder