2

I am trying to build a server for Gemini in Java which uses client authentication using self-signed certificates similar to the CertFP authentication used in IRC or the self-signed identities in Mumble.

I can authenticate a user without problem when the cert is a SMIME certificate that is signed by a supported CA company or when using a web site certificate like www.domain.com when using Letsencrypt since both can be validated via the castore. To do pseudonymous authentication it is necessary to accept any self-signed client certificate to get the cert hash and that works in other programming languages like Python or Go, however I am not finding an option to configure that with Java. I assume I will have to write a custom authentication checker but I have no idea how.

Alex Lehmann
  • 668
  • 1
  • 6
  • 11
  • 1
    Does this answer your question? [JDK 11 import root ca certificates into keystore](https://stackoverflow.com/questions/53727161/jdk-11-import-root-ca-certificates-into-keystore) – njzk2 May 02 '23 at 19:26
  • 1
    the problem is I cannot import root cas into the keystore since random users will be registering with the server when they create an account and they should be able to create their own certs. It would be possible to have users request a cert from a custom ca, but that is not the user experience I expect – Alex Lehmann May 02 '23 at 19:29
  • 1
    Have you tried [implementing your own `X509TrustManager`](https://stackoverflow.com/a/5671038/589259)? Beware that you have to make sure that the correct tests are implemented when you are doing that; you might want to check e.g. validity period (although that could be moot if you only accept self signed certs). – Maarten Bodewes May 02 '23 at 19:36

0 Answers0