I am calling a webservice that requires client certificate authentication.
If I specify a Java keystore containing a single certificate (the client certificate the service expects) then everything works fine. However if I use a keystore that contains multiple certificates then I can't seem to be able to specify which certificate should be picked up by the client, the client seems to pick up the first available certificate (in alphabetical order).
I have tried the following property but without expected result:
System.setProperty("com.sun.enterprise.security.httpsOutboundKeyAlias", "my-client-certificate alias");
How can I specify which client certificate alias that should be used?
Short answer: it cannot be done with default Java ssl implementation.
Long answer: I looked on how the SSL handshake is implemented in the sun.security.ssl.ClientHandshaker. In its method serverHelloDone is called X509ExtendedKeyManager.chooseClientAlias. Its implementations are really done in such a way that they return first alias, whose entry matches the given key algorithm and few other things. No way how to tweak the alias selection.
For those who can change the code, this looks like a promising workaround: http://www.44342.com/java-f392-t785-p1.htm