1

I'm new to SSL and trying to figure out how to get it working with Java Netty server. I want to do essentially this: Correctly creating a new certificate with an intermediate certificate using bouny castle I want to create certificates for different clients and have them talk to my server. I generate unique certificates per client, but I have two basic questions regarding SSL implementation in Java.

  1. When I create my intermediate certificate to sign the client certs, is this basically a one time thing similar to creating the root cert? Meaning, in the example, the author generates an KeyPair intermediatePair. Do I regenerate this KeyPair when I sign for different client certs? My guess is no and that I should save this intermediate cert somewhere and then load it when my server starts.

  2. How do clients actually get trusted by the server? Is it the fact that the certificate they have is signed by the server rootcert->intermediatecert and creates the chain of trust? Or after I create my certificate, so I need to add that cert to the KeyStore trustStore I'm using when my server starts? Something like this (pseudocode)

    KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
trustStore.load(null, null);
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
Path p = Paths.get(path);
byte[] bytes = Files.readAllBytes(p);
InputStream in = new ByteArrayInputStream(bytes);
X509Certificate certificate = null;
if (in != null) {
    certificate = (X509Certificate) certificateFactory.generateCertificate(in);
    in.close();
}
trustStore.setCertificateEntry("certficateName", certificate);
Improve this question
1
  • There are two or three specific questions here. There is nothing 'too broad' about this question. Commented Aug 3, 2017 at 22:23

1 Answer 1

Reset to default
1

When I create my intermediate certificate to sign the client certs, is this basically a one time thing similar to creating the root cert?

One time until it expires.

Meaning, in the example, the author generates an KeyPair intermediatePair. Do I regenerate this KeyPair when I sign for different client certs?

No.

My guess is no and that I should save this intermediate cert somewhere and then load it when my server starts.

Yes.

  1. How do clients actually get trusted by the server? Is it the fact that the certificate they have is signed by the server rootcert->intermediatecert and creates the chain of trust?

It is the fact that a chain of certificates exists from the client cert to the trusted root cert.

Or after I create my certificate, so I need to add that cert to the KeyStore trustStore I'm using when my server starts? Something like this (pseudocode)

No. Just make sure the root cert is in the truststore, via the keytool. You don't need to write code at all.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.