I have used the ssl debug statement to determine that ssl server is sending a CertificateRequest and a list of CAs. The smart card is opened via a password and I think X509KeyManagerImpl compares the Issuer of the smart card certificates with the server sent CAs. However since the issuer is an intermediate CA and only the root CA is in this list, the smartcard certificates are rejected. I CAN'T have the intermediate CA place in the ssl server list.
Using SSLConnect (KeyManager, X509TrustManager, null). The KeyManager is using NSS and the TrustManager is using opensc-pkcs11 via SunPKCS11. The OS is Linux, kernel 184.108.40.206-74.fc14.i686.
The intermediate CA is in the local cert store.
The application being used is DavMail.
Am I correct in stating that the the smart card certificates are checked against the server sent CAs?
Does anyone know how to get Java to use he local cert store to find the intermediate CA and then verify it against the Root CA in the server sent list?
Got OCSP working by setting the Java Security property "ocsp.enable" to true and the PKIXParameters setRevocationEnable to true. The PKIXParameters are used to create a CertPathTrustManagerParameters (cast to ManagerFactoryParameters). A TrustManagerFactory is created and the ManagerFactoryParameters are used as the argument to the init method of the TrustManagerFactory.