You are viewing a plain text version of this content. The canonical link for it is here.

Posted to derby-user@db.apache.org by Dag Wanvik <da...@oracle.com> on 2013/02/04 04:36:12 UTC

Re: SSL peerAuthentication

Reading up on this, this is my understanding for your case
(peerAuthentication in both directions).
When using CA signed certs for both sides, you should keep the CA certs
in the trust stores, i.e.

Client keystore:                                            Server keystore:
client-key                                                      server-key
client-cert                                                     server-cert

Client truststore:                                         Server
truststore:
server-ca-cert                                               client-ca-cert

Of course, server-ca and client-ca may be identical as in your example.

where:

  * server-cert: the cert that the server presents to clients
  * server-key: the private key that corresponds to server-cert
  * server-ca-cert: the cert of the CA that signed server-cert
  * client-cert: the cert that the client presents to the server
  * client-key: the private key that corresponds to client-cert
  * client-ca-cert: the cert of the CA that signed client-cert

It is true that this will allow secure connection of any client that has
a cert signed by "client-ca-cert", but this is as it should be: the
client is authenticated, the communication can proceed encrypted.
Further authorization should be handled by the server.

Hope this helps,
Dag