[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AW: [iaik-jce] Client authentication again/how to insert client certificate in ssl3.keystore


ssl3.keystore is only used for the demo. For that purpose you only may
uncomment line


for setting certificates.

However, if you write your own client (or server) you may get your
keys/certificates from any source (your own keystore, cert files,
PKCS#12,...). Use proper addCredentials methods for adding your own
keys/certificates allowing you to authenticate against the peer. Use
addTrustedCertificate (or immediately access or write a ChainVerifier) for
deciding whom you want to trust. Please refer to
http://jcewww.iaik.at/iSaSiLk/doc/certs.htm for a description on iSaSilk´s
certificate handling mechanisms.

Dieter Bratko

-----Ursprüngliche Nachricht-----
Von: iaik-jce-owner@iaik.tu-graz.ac.at
[mailto:iaik-jce-owner@iaik.tu-graz.ac.at]Im Auftrag von Steinar
Gesendet: Samstag, 17. Februar 2001 23:20
An: iaik-jce@iaik.tu-graz.ac.at
Betreff: [iaik-jce] Client authentication again/how to insert client
certificate in ssl3.keystore


I am running the demo.basic.SSLClient localhost:4433 againt the demo
I have compiled a local version of the SSLServer where I do not allow
clients without
certificates. The SSLServer.java was changed by the comment of the
second line below.

    // accept clients without certificate as well
//    serverContext.addTrustedCertificate(null);

After funning demo.basic.SSLClient, the server output window was:
ssl_debug(1): ChainVerifier: Empty peer certificate chain, NOT OK

The client output window:

ssl_debug(1): Received alert message: Alert Fatal: bad certificate
ssl_debug(1): SSLException while handshaking: Peer sent alert: Alert
Fatal: bad

This is as expected.
However, how can I insert a valid client certifiace in the ssl3.keystore
so the client can be
authenticated by the server?

Thanks for any help. It have performed a *lot* of tests and trials, but
I can't
continue like this anymore. I need to ask for professionals advise.

With regards Steinar Orset

Mailinglist-archive at

To unsubscribe send an email to listserv@iaik.at with the folowing content: