Search code examples
javasslclientaliaskeystore

Get certificate by alias in keystore with multiple entries in Java

Ok! We are trying to implement a client server aplication (chatroom) . Of course the server is multithreaded. We wanted the communication to be secure so we used ssl sockets and certificates. I have read that you can store multiple certificates and keys in one keystore. When a client enters the chat he needs to fill in his username.

  1. Do we have to connect the username to the alias of the certificate/key?

  2. If yes, how can we use the specific certificate/key from the keystore from the alias? Or is there another way? I mean how can we "pick" the specific certificate depending on the name

  3. Is there a way for the clients to create their certificates at the time of they enter? (We want the certificates to be signed by a CA we have already implemented)

Thank you!

Solution

  • Basically what you want is Mutual or 2 way SSL. Read these for more information - here and here

    In short - the SSL communication works (in context of certificates for authentication) is server will send the certificate to the client and if that certificate is present in the client's certificate store or Java's keystore in your case, then it authenticates the server.

    Typically server never asks client to send certificate but in your case you wants it so it makes it Mutual or 2 way SSL. So, while handshake process, server will ask client also to send its certificate and it will also check in its keystore if that certificate is present, if so then it will be happy else it will end SSL handshake.

    What you need:

    • Your each client and your server should have a valid certificate.
    • Your server should have those client certificate present in its "trust keystore", so that it can authenticate client.
    • Your each client should have server's certificate in its "trust keystore", so that it can authenticate server.
    • Your server should be configured to support 2 way SSL. Read here for Weblogic.

    Answering your questions specifically:

    Do we have to connect the username to the alias of the certificate/key?

    No, only this you want is that client certificate should present in the server's "trust keystore". But since your client app and server is on same machine, so I would recommend that have different JVM's installations to run client and server so that you have support different certificates.

    If yes, how can we use the specific certificate/key from the keystore from the alias? Or is there another way? I mean how can we "pick" the specific certificate depending on the name

    Not applicable.

    Is there a way for the clients to create their certificates at the time of they enter? (We want the certificates to be signed by a CA we have already implemented)

    Certificate should be prepared beforehand, and certificate creation and signing is a complex process, you have to generate a CSR etc.

    Please do read my this answer for other details you may require while doing all this.