Exported certificate contains private information / Implement own trustmanager?

Question

I'm quite new to ssl, but i managed to setup server and client certification on my java application. I generated the keystores and truststore using the keytool. This works quite nicely.

Now i'm looking for ways to add a new client certificate to my server truststore, if this is done my server will accept the connection from the new client.

My current plan is:

1. let client call my on phone and request start procedure
2. let client run little program that generates a certificate
3. let client send certificate to me
4. now i can add certificate to server truststore

Sounds simple, but when you think of it a few things can go wrong:

1. when client sends certificate to me someone can intercept it. When i export a certificate from a keystore is the resulting certificate enough to setup a client connection? Or does the certificate only contain the public information and is the "private" information still in the keystore?
2. is it a wise thing to implement my own TrustManager on server side so that i can manage trusted client certificate easily? Is this a difficult thing to do or should i just add a little wrapper around keytool.

Thanks for the ideas!

Answer 1

Or does the certificate only contain the public information and is the "private" information still in the keystore?

Yes.

is it a wise thing to implement my own TrustManager on server side so that i can manage trusted client certificate easily?

No. You should let the truststore system do what it wants to do for authentication, and then use a handshake listener to get the peer certificate to authorise it. Don't confuse or conflate these two steps: they are distinct, and both parts are required.