views:

187

answers:

1

Hi All.. I have started a project based on Client server communication in java. What i'm doing is client and server have their own self signed certificates. In initial communication both client and server will exchange their certificates. Server has to verify clients certificate and should grant authentication. Where i struck was on what topic server can validate or invalidate a particular client..? I am unable to proceed from here. So please any of you can give brief explanation about it? if possible some Pseudocode in java..?

+1  A: 

Self signed certs can't be validated via normal PKI methods - i.e., check the cert chains up to a trust anchor, is not on a CRL etc.

When using self signed certs, the initial configuration will typically involve using an out-of-band mechanism to exchange the certs and fingerprints to verify them. These certs can then be added to a trusted store and used by your application. Of course, this out-of-band process would need to be repeated each time any of the self signed certs are renewed. This approach may be okay for a couple of apps that need to communicate securely, but it's pretty obvious that the self signed certs approach doesn't scale.

Another approach would be to use something like the openssl wrapper CA.pl to setup a mini CA and issue client certs off that. These issued certs would then all chain up to the one root. This root still has to be communicated securely to all relying parties, but non of the other certs issued off the root CA do.

UPDATE: (in response to the question in comments below)

Here are a few ways to get a cert fingerprint:

  • using openssl: openssl x509 -sha1 -in cert.pem -noout -fingerprint
  • on windows save it as a .cer file then doubleclick it then go to details tab
  • using this tool: online cert decoder

To improve security further the cert owner can use a different tool than the cert checker.

bignum
Thanks alot.. I got some thing.. I would like to know how can we verify by using fingerprints to authenticate clients. I dont want to use any third party CAs in my application. So i'm not using OpenSSL certificates. How we can authenticate clients by using Thumbprint?
Tadi Vijay Kumar
@Tadi Vijay Kumar: I've added some info on how to get a certificate fingerprint. Hope this helps.
bignum