Java certificate based authentication

Question

I have a thrift endpoint that someone created who is not longer with our company. They implemented the authentication via client side certs, but I having a hard time wrapping my head around how it all works. Does anyone know of a tutorial, or howto on this topic.

All I really have is a sample client class. Here are a list of things that I need help with:

1. Can a server cert and the client cert both be contained in the same trust store
2. How do you create a new client side cert?
3. How do you add that client side cert to the server trust store?
4. Do you need to set the client trust store, and set the java trust (assuming the server is a self signed endpoint)

5. What does the following error mean?

   ERROR[com.cada.CadaDaoTest][main] - Error: org.apache.thrift.transport.TTransportException: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate

Answer 1

The truststore (on Tomcat it's configured forthe SSL connector in server.xml) can hold the root of the certificate chain of the client certificate, not the certificate itself. That is, when a certificate is created, it is signed by a CA - certificate authority. If the CA cert is trusted, all certs singed by the CA are trusted as well.

You can create certificates using either keytool (in jdk/bin/) or openssl. There are GUIs for that, like portecle.

The tomcat ssl tutorial might be helpful.