Hello,

I am building an application that will provide support services to client applications running on the users' machines. Communication between clients and the server is XML-RPC based and must be secure, i.e. use SSL for both client and server authentication. The server will have to be able to generate certificates for clients (it will be a certificate authority). The server will eventually work as a cluster of JBosses, but for now only one JBoss is used.

Question:
I've read that it is advisable to perform the SSL authentication in a separate web server (e.g. Apache) that forwards requests to the cluster. This makes sense to me, especially since I wouldn't want to replicate the SSL configuration in each app server in the cluster. However, the server has to be able to dynamically generate certificates and be able to accept them immediatelly in a subsequent client request. This means that the intermediary web server performing SSL authentication of clients must be dynamically supplied with a new client certificate that needs to be honoured. It doesn't help that the business logic performing the generation of client certificates will reside in app servers, i.e. not on the intermediary web server. Has anyone encountered this problem? How can I create this distributed architecture with the least pain, if at all?

Thanks,
Alex