I have a requirement where a single web app, which has multiple web services, needs SSL configured. But only one web service should have mutual SSL and rest have to be on one-way SSL.
For this, I have used:
<Connector SSLEnabled="true" acceptCount="100" clientAuth="want"
disableUploadTimeout="true" enableLookups="false" maxThreads="25"
port="8443" keystoreFile="somefolder\some-KeyStore.store" keystorePass="changeit"
protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"
secure="true" sslProtocol="SSL"
truststoreFile="somefolder\some-trustStore.jks"
truststoreType="JKS" truststorePass="Changeit"/>
And in the code I use below code in a filter to a service URL:
X509Certificate[] certificates = (X509Certificate[]) request
.getAttribute("javax.servlet.request.X509Certificate");
This checks if the service that needs mutual SSL gets a certificate that is valid. So when that URL gets called, the servlet filter checks for cert.
But the problem is that this works only for self-signed certs; when I use CA signed certs, the above scriptlet returns null. (i.e., no certs)
The cert algorithms are RSA and DSA types; is there any significance of this or the type of keyStores and trustStores.
Please let me know if I am missing anything, or if I need to use any other code for CA signed certs. I really need CA certs in the requests.
Thanks for the Input,
But I figured it out. I did not import the cert chain in the TrustStore initially, and I just had the CA cert there. Once I configured the CA certs, keystore and trustStore properly, it fixed the issue.
It worked initially with self-signed certs because self signed certs don't have cert chains.