sslwildflyclient-certificateselytron

How to configure Elytron for root certificate in truststore?


Is it possible to configure WildFly 13 client-cert authentication with root-ca certificate in truststore? Clients would use certificates signed by this root.

Here's what's makes me wonder: in this documentation https://ctomc.github.io/docs-playground/WildFly_Elytron_Security.html they say that:

IMPORTANT: The decoded principal * MUST* must be the alias value you set in your server’s truststore for the client’s certificate.

That means that I can configure decoder to map attribute other than CN, which would point to the root-ca alias in my truststore, and all client certs would have this attribute pointing to the root-ca alias.
But, the question is, how would server know which user to map to this certificate since it is mapping this 'other' attribute to the same certificate in truststore?


Solution

  • I think what you are trying achieve is possible since https://issues.jboss.org/browse/ELY-1418, which means since WF14.

    Since ELY-1418 you don't have to keep user certificates in keystore-realm.