I'm working on a web app that allows our users to log in with certificates. This is working fine - the keystore/truststore, login modules, etc all work correctly.
But there are a couple of different certificate authorities in our domain, and our users will often have multiple (theoritically valid) certificates loaded in their browser. To try to ensure future compatability, we had configured our JBoss server to respect all the certificate authorities. This lead to a problem - users will often register one certificate when they create their account, and try to login with another.
Is there a mechanism in JBoss or the Java SSL stack to control which certificates the users can pick when they try to log in with a browser? For instance, could I restrict this list (in some places) to a list of certificates that matched some data in a database.
I could restrict the set of certificate authorities in our system, but I was wondering if there existed any programmatic solution?