db-derby-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dag Wanvik <dag.wan...@oracle.com>
Subject Re: SSL peerAuthentication
Date Fri, 11 Jan 2013 02:44:35 GMT
Right. Sounds weird. I'll investigate. Might take some days tho...


On 10.01.2013 21:20, Thomas Hill wrote:
> yes, I did check the docs. My serverTrustStore was populated as described in the
> manual, i.e.
> "Install a client certificate in the server's trust store:
> keytool -import -alias aDerbyClient -file aClient.cert 
>         -keystore serverTrustStore.key"
> As said my expectation was installing just the certificate of the client(s)
> would suffice (as per my use case 3a). And this way the set-up of the
> serverTrustStore would be achieved the same way as and be consistent with how
> this is done for the clientTrustStore (and as said my use case 2 below where
> only the client requests peer Authentication works). But in case of the
> serverTrustStore and the server requesting peerAuthentication this only works
> after importing the CA certificate into the serverTrustStore as well - BUT!!
> then *any* client certificate signed by this CA seems to work - even if the
> client certificate is not part of the truststore. In fact it already works if
> the CA certificate is the *only* certificate in the servertruststore. It is
> unclear to me why the CA certificate needs to be imported into the truststore -
> imho this should not be necessary.

View raw message