开发者

Self signed Certificate Based Authentication

开发者 https://www.devze.com 2022-12-29 11:55 出处:网络
I have started a project based on Client server communication in java. What i\'m doing is client and server have their own self signed certificates. In initial communication both client and server wil

I have started a project based on Client server communication in java. What i'm doing is client and server have their own self signed certificates. In initial communication both client and server will exchange their certificates. Server has to verify clients certificate and should开发者_JS百科 grant authentication. Where i struck was on what topic server can validate or invalidate a particular client..? I am unable to proceed from here. So please any of you can give brief explanation about it? if possible some Pseudocode in java..?


Self signed certs can't be validated via normal PKI methods - i.e., check the cert chains up to a trust anchor, is not on a CRL etc.

When using self signed certs, the initial configuration will typically involve using an out-of-band mechanism to exchange the certs and fingerprints to verify them. These certs can then be added to a trusted store and used by your application. Of course, this out-of-band process would need to be repeated each time any of the self signed certs are renewed. This approach may be okay for a couple of apps that need to communicate securely, but it's pretty obvious that the self signed certs approach doesn't scale.

Another approach would be to use something like the openssl wrapper CA.pl to setup a mini CA and issue client certs off that. These issued certs would then all chain up to the one root. This root still has to be communicated securely to all relying parties, but non of the other certs issued off the root CA do.

UPDATE: (in response to the question in comments below)

Here are a few ways to get a cert fingerprint:

  • using openssl: openssl x509 -sha1 -in cert.pem -noout -fingerprint
  • on windows save it as a .cer file then doubleclick it then go to details tab
  • using this tool: online cert decoder

To improve security further the cert owner can use a different tool than the cert checker.

0

精彩评论

暂无评论...
验证码 换一张
取 消