edit 1 :. See the comments my client / server is in Java, so implementing my own javax.net.ssl.TrustManager implementation in possible solutions is included.
I have a problem with the client connecting to an SSL-enabled server socket. I have 3 CAs:
- Root CA: Used to sign other CA queues.
- Tester CA: Signed by Route CA, beta-tester customer alerts.
- Production CA: Signed by Route CA, the production client is used to sign in the serus.
I want to make a truststore for the server that:
- Testers permit all signed client certificates for CA.
- Allows all signed client certificates for root ca.
- The product denies all signed client certificates for CA.
My problem: If I only make my TrustStore only the testers CA certification, then root CA fails in the client systems signed (I give it permission to certificate chain Was expected). If I generate my truststore, which contains both test CA and Root CA, then also allow production certificates signed by them.
Is there any way?
is a dirty way! You can break the chain for Server Cert - Intermediate Cert (Production CA), which is the mainstore so that the former can not be verified by the root CA.
Export the server certificate entry from Keystore and remove the issuer (Production CA) certificate from the PEM file and import it back.
--- BEGIN certificate --- - & lt;> ----- END certification ----- Server certificate and issuers below (Prod CA). Remove the issuer and import the .pem file back.
& gt; Keytool -importcert -keystore store.jks -alias salias -file broke.pem Now when the server is presented with a server certificate, it can not be verified by the root ca in the truststore Server Proof -> Production CA-> Root CA is broken.
No comments:
Post a Comment