JDK Tutorials - Herong's Tutorial Notes
Dr. Herong Yang, Version 4.32, 2006

SSL - Client Authentication

Part:   1   2  3  4  5 

JDK Tutorials - Herong's Tutorial Notes © Dr. Herong Yang

Internationalization

Character Set and Encoding

Socket Communication

Document Object Model (DOM)

XSD Validation in Java

XSL - Transformer in Java

JCA - Private and Public Key Pairs

JCE - Secret Key

SSL (Secure Socket Layer)

SSL - Client Authentication

... Table of Contents

Sample programs listed in this chapter have been tested with JDK 1.5.0.

What is SSL Client Authentication

As I mentioned earlier in this book, the SSL handshake process is following the following sequence:

   Client                  Server
   
   Client Hello        -->   
                       <-- Server Hello
                       <-- Server Certificate (optional)
                       <-- Server Key Exchange (optional)
                       <-- Certificate Request (optional)
   Certificate         -->
   Client Key Exchange -->
   Certificate Verify  -->
   Change Cipher Spec  -->
   Finished            -->
                       <-- Change Cipher Spec
                       <-- Finished

Two identity authentications may happen during this process:

1. Server Authentication - Server program must have access to the server's "full" certificate, which contains the server's identity, public key and private key. During handshake process, the server will extract the server's "public" certificate and send it to the client. On the client side, the client program must be able to authenticate the server's identity by validating the server's "public" certificate. One way to identify the server's identity is to install server's "public" certificate to client program as a trusted certificate. Server authentication seems to be always required.

2. Client Authentication - This is the 100% mirror process of server authentication. However, client authentication is optional for SSL communication.

Preparing Certificates for Client Authentication

JDK "keytool" seems to be a good tool to generate and manage certificates. So I will "keytool" to generate and manage "full" and "public" certificates for both server and client sides. Let's see what I did on the server side first:

>keytool -genkey -alias server_full -keypass ServerKey
   -keystore server.jks -storepass ServerJKS 

What is your first and last name?
  [Unknown]:  my.server.com
What is the name of your organizational unit?
  [Unknown]:  My Unit
What is the name of your organization?
  [Unknown]:  My Home
What is the name of your City or Locality?
  [Unknown]:  My City
What is the name of your State or Province?
  [Unknown]:  My State
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=my.server.com, OU=My Unit, O=My Home, L=My City, ST=My State...
  [no]:  yes

>keytool -export -alias server_full -file server_pub.crt 
   -keystore server.jks -storepass ServerJKS

Certificate stored in file <server_pub.crt>

>"send server_pub.crt to the client side..."

(Continued on next part...)

Part:   1   2  3  4  5 

Dr. Herong Yang, updated in 2006
JDK Tutorials - Herong's Tutorial Notes - SSL - Client Authentication