db-derby-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dag Wanvik <dag.wan...@oracle.com>
Subject Re: SSL peerAuthentication
Date Mon, 04 Feb 2013 03:36:12 GMT
Reading up on this, this is my understanding for your case
(peerAuthentication in both directions).
When using CA signed certs for both sides, you should keep the CA certs
in the trust stores, i.e.

Client keystore:                                            Server keystore:
client-key                                                      server-key
client-cert                                                     server-cert

Client truststore:                                         Server
truststore:
server-ca-cert                                               client-ca-cert

Of course, server-ca and client-ca may be identical as in your example.

where:

  * server-cert: the cert that the server presents to clients
  * server-key: the private key that corresponds to server-cert
  * server-ca-cert: the cert of the CA that signed server-cert
  * client-cert: the cert that the client presents to the server
  * client-key: the private key that corresponds to client-cert
  * client-ca-cert: the cert of the CA that signed client-cert

It is true that this will allow secure connection of any client that has
a cert signed by "client-ca-cert", but this is as it should be: the
client is authenticated, the communication can proceed encrypted.
Further authorization should be handled by the server.

Hope this helps,
Dag


Mime
View raw message