2

Ok! We are trying to implement a client server aplication (chatroom) . Of course the server is multithreaded. We wanted the communication to be secure so we used ssl sockets and certificates. I have read that you can store multiple certificates and keys in one keystore. When a client enters the chat he needs to fill in his username.

  1. Do we have to connect the username to the alias of the certificate/key?

  2. If yes, how can we use the specific certificate/key from the keystore from the alias? Or is there another way? I mean how can we "pick" the specific certificate depending on the name

  3. Is there a way for the clients to create their certificates at the time of they enter? (We want the certificates to be signed by a CA we have already implemented)

Thank you!

Manos Nikolaidis
  • 21,608
  • 12
  • 74
  • 82
elli
  • 1,109
  • 1
  • 13
  • 20
  • Why! Why you want your clients to pass the certificates to the server. Since you are talking about the chat application, so if I understand correctly then your clients will be browser applications, and why you think that each client (in turn browser) will send you certificate for authentication. If this is not what you intend, then your question is not clear. – hagrawal7777 Nov 06 '15 at 18:51
  • Sorry for the mistakes. But this is a java project and i run client and server at localhost. Why I need client authentication? Well, its my assignment who wants that. Isn't that what you asked? – elli Nov 06 '15 at 19:02
  • Thanks Ele for clarification. I got your question now, genuine doubts. Please read my answer. – hagrawal7777 Nov 06 '15 at 19:25

1 Answers1

1

Basically what you want is Mutual or 2 way SSL. Read these for more information - here and here

In short - the SSL communication works (in context of certificates for authentication) is server will send the certificate to the client and if that certificate is present in the client's certificate store or Java's keystore in your case, then it authenticates the server.

Typically server never asks client to send certificate but in your case you wants it so it makes it Mutual or 2 way SSL. So, while handshake process, server will ask client also to send its certificate and it will also check in its keystore if that certificate is present, if so then it will be happy else it will end SSL handshake.

What you need:

  • Your each client and your server should have a valid certificate.
  • Your server should have those client certificate present in its "trust keystore", so that it can authenticate client.
  • Your each client should have server's certificate in its "trust keystore", so that it can authenticate server.
  • Your server should be configured to support 2 way SSL. Read here for Weblogic.

Answering your questions specifically:

Do we have to connect the username to the alias of the certificate/key?

No, only this you want is that client certificate should present in the server's "trust keystore". But since your client app and server is on same machine, so I would recommend that have different JVM's installations to run client and server so that you have support different certificates.

If yes, how can we use the specific certificate/key from the keystore from the alias? Or is there another way? I mean how can we "pick" the specific certificate depending on the name

Not applicable.

Is there a way for the clients to create their certificates at the time of they enter? (We want the certificates to be signed by a CA we have already implemented)

Certificate should be prepared beforehand, and certificate creation and signing is a complex process, you have to generate a CSR etc.

Please do read my this answer for other details you may require while doing all this.

Community
  • 1
  • 1
hagrawal7777
  • 14,103
  • 5
  • 40
  • 70