Tuesday, 8 April 2014

Having a keystore with 2 certificates

You are able to have more than 1 key and certificate chain in your keystore. A problem is only when you are using the default key manager to pick the cert to represent your client to the server. If the wrong cert is picked for representation then the server will no accept you a trust client.

In this example you have 2 aliases. Both are key certificate chain entries in the keystore. Both aliases have the same CN (common name) in their certs. The default key manager will find the matching aliases with the same same CN from what I can see from my testing. If you have 2 certs that are using the same CN then you might have problem since you do not know what cert the default key manager will pick to represent the client to the server.

Snippet output from javax.net.debug=all
You will see this print out after the server has requested the client certificate.
*** ServerHelloDone
matching alias: client1
matching alias: client2
*** Certificate chain
It picks the first in the list of its print out.
The rest of the print out will the be the details of the client1 alias in the keystore which it uses to identify the client to the server. It imght of picked the wrong alias which will give you a unknown_ca error.

What I noticed about the default keymanager picking aliases

  • does not pick them alphabetically.
  • does pick the first entry in the keystore

Only place i could find this information is here.

If you need to use certificates that have very similar attributes then you have to implement you own custom KeyManager so you can choose the correct alias to represent your client to the server. If only it was easy to configure the default KeyManager....