1 Reply Latest reply: May 11, 2011 11:20 AM by 837604 RSS

    Problem with CertificateRequest when using a smart card

    837604
      Hello,

      I have used the ssl debug statement to determine that ssl server is sending a CertificateRequest and a list of CAs. The smart card is opened via a password and I think X509KeyManagerImpl compares the Issuer of the smart card certificates with the server sent CAs. However since the issuer is an intermediate CA and only the root CA is in this list, the smartcard certificates are rejected. I CAN'T have the intermediate CA place in the ssl server list.

      Using SSLConnect (KeyManager, X509TrustManager, null). The KeyManager is using NSS and the TrustManager is using opensc-pkcs11 via SunPKCS11. The OS is Linux, kernel 2.6.35.10-74.fc14.i686.

      The intermediate CA is in the local cert store.

      The application being used is DavMail.

      Am I correct in stating that the the smart card certificates are checked against the server sent CAs?

      Does anyone know how to get Java to use he local cert store to find the intermediate CA and then verify it against the Root CA in the server sent list?
        • 1. Re: Problem with CertificateRequest when using a smart card
          837604
          Got OCSP working by setting the Java Security property "ocsp.enable" to true and the PKIXParameters setRevocationEnable to true. The PKIXParameters are used to create a CertPathTrustManagerParameters (cast to ManagerFactoryParameters). A TrustManagerFactory is created and the ManagerFactoryParameters are used as the argument to the init method of the TrustManagerFactory.

          Edited by: 834601 on May 11, 2011 12:18 PM