2 Replies Latest reply on Apr 10, 2009 10:23 AM by fthurber

    Two-way SSL, which certificate does the client send?

    fthurber Apr 9, 2009 1:38 PM


      I have two JBoss servers running our application, connected by https, and I have a question about client certificates, one is a client and the other a server. However when I turned on clientAuth (and CLIENT-CERT), the client JBoss does not seem to send the correct certificate. I get this error:

      SSLHandshakeException: Received fatal alert: bad_certificate


      I have checked the truststores on both JBoss servers, and they seem to be loaded correctly, etc. The trust and identity stores are set up in the usual JBoss fashion and named Identity.jks and Truststore.jks.

      However I am wondering which certificate the client actually sends when the server asks for the client cert. I would think that it would sent my self-signed cert in Identity.jks, but now I am not sure it does.

      Does my client code know enough to find the cert in Identity.jks or do I need to explicitly set the javax.net.ssl.keyStore system property? I tried doing this in the JAVA_ARGS in the run.sh, but there were dire consequences. Do I need to do this in my application code?




      • 1361 Views
      • Tags:
        • 1. Re: Two-way SSL, which certificate does the client send?
          fthurber Apr 10, 2009 9:07 AM (in response to fthurber)


          My tests seem to indicate that the client java code running in JBoss is not aware of the enclosing JBoss' keystore and truststore. It is not clear where it is getting a certificate when the server asks for one during two-SSL, but the certificate sent is considered bad. I would think that it looks in the cacerts or ~/.keystore, but this does not help.

          I need to find a way to tell the client code to use the JBoss keystore without changing the code...

            • Actions
          • 2. Re: Two-way SSL, which certificate does the client send?
            fthurber Apr 10, 2009 10:23 AM (in response to fthurber)

            The mbean SystemPropertiesService should allow me to set java System properties. Hopefully I can use this to set the javax.net.ssl.keyStore to the JBoss Identity keystore.

              • Actions