Choosing SSL client certificate in Java

by

The configuration is done via an SSLContext, which is effectively a factory for the SSLSocketFactory (or SSLEngine). By default, this will be configured from the javax.net.ssl.* properties. In addition, when a server requests a certificate, it sends a TLS/SSL CertificateRequest message that contains a list of CA’s distinguished names that it’s willing to accept. Although this list is strictly speaking only indicative (i.e. servers could accept certs from issuers not in the list or could refuse valid certs from CAs in the list), it usually works this way.

By default, the certificate chooser in the X509KeyManager configured within the SSLContext (again you normally don’t have to worry about it), will pick one of the certificates that has been issued by one in the list (or can be chained to an issuer there).
That list is the issuers parameter in X509KeyManager.chooseClientAlias (the alias is the alias name for the cert you want to picked, as referred to within the keystore). If you have multiple candidates, you can also use the socket parameter, which will get you the peer’s IP address if that helps making a choice.

If this helps, you may find using jSSLutils (and its wrapper) for the configuration of your SSLContext (these are mainly helper classes to build SSLContexts). (Note that this example is for choosing the server-side alias, but it can be adapted, the source code is available.)

Once you’ve done this, you should look for the documentation regarding the axis.socketSecureFactorysystem property in Axis (and SecureSocketFactory). If you look at the Axis source code, it shouldn’t be too difficult to build a org.apache.axis.components.net.SunJSSESocketFactory that’s initialized from the SSLContext of your choice (see this question).

Just realized you were talking about Axis2, where the SecureSocketFactory seems to have disappeared. You might be able to find a workaround using the default SSLContext, but this will affect your entire application (which isn’t great). If you use a X509KeyManagerWrapper of jSSLutils, you might be able to use the default X509KeyManager and treat only certain hosts as an exception. (This is not an ideal situation, I’m not sure how to use a custom SSLContext/SSLSocketFactory in Axis 2.)

Alternatively, according to this Axis 2 document, it looks like Axis 2 uses Apache HTTP Client 3.x:

If you want to perform SSL client
authentication (2-way SSL), you may
use the Protocol.registerProtocol
feature of HttpClient. You can
overwrite the “https” protocol, or use
a different protocol for your SSL
client authentication communications
if you don’t want to mess with regular
https. Find more information at
http://jakarta.apache.org/commons/httpclient/sslguide.html

In this case, the SslContextedSecureProtocolSocketFactory should help you configure an SSLContext.

More Related Contents:

  1. Extended server_name (SNI Extension) not sent with jdk1.8.0 but send with jdk1.7.0
  2. Java: Overriding function to disable SSL certificate check
  3. javax.net.ssl.SSLException: SSL handshake aborted Connection reset by peer while calling webservice Android
  4. Received fatal alert: handshake_failure through SSLHandshakeException
  5. Java client certificates over HTTPS/SSL
  6. why doesn’t java send the client certificate during SSL handshake?
  7. How to ignore SSL certificate errors in Apache HttpClient 4.0
  8. Trust Store vs Key Store – creating with keytool
  9. Import PEM into Java Key Store
  10. Does Java support Let’s Encrypt certificates?
  11. Read RSA private key of format PKCS1 in JAVA
  12. How to set TLS version on apache HttpClient
  13. Javamail Could not convert socket to TLS GMail
  14. How to force java server to accept only tls 1.2 and reject tls 1.0 and tls 1.1 connections
  15. Whats an easy way to totally ignore ssl with java url connections?
  16. Why does Java’s SSLSocket send a version 2 client hello?
  17. JAXB Exception: Class not known to this context
  18. How do I do TLS with BouncyCastle?
  19. Jersey – How to mock service
  20. Changing the default XML namespace prefix generated with JAXWS
  21. Java SSL connect, add server cert to keystore programmatically
  22. how to send an array in url request
  23. Using SSLContext with just a CA certificate and no keystore
  24. How to configure trustStore for javax.net.ssl.trustStore on windows?
  25. How to query a web service via POST request in Android?
  26. Android SSL HttpGet (No peer certificate) error OR (Connection closed by peer) error
  27. SSL “Peer Not Authenticated” error with HttpClient 4.1
  28. How to use .key and .crt file in java that generated by openssl?
  29. How to build a SSLSocketFactory from PEM certificate and key without converting to keystore?
  30. Creating .p12 truststore with openssl

Leave a Comment