| Ulf Leichsenring 2006-09-19, 7:05 pm |
| I have a problem with the client certificate selection dialog of the SUN
JRE 1.5.0_06 if a SSL client authentication has to be done.
The users have two certificates/key-pairs on their smartcard. One is
used for email security and has the key usage "key encipherment" and
"data encipherment". The other certificate is for authentication and
signature and has only the key usage "Digital Signature" set.
A java applet should now establish a SSL connection to the server. But
the Java runtime pops up a dialog box asking which certificate to use
and shows up both certificates. Thats funny because only one of the two
certificates has the needed key usage "Digital Signature" set. If I
choose the wrong certificate, the SSL handshake fails. Since both
certificates have the same name (distinguished name = name of that user)
the "normal" user can't decide correctly which one to choose.
I already checked the settings inside the java control panel found at
"Extended->Securtiy->Automatically use personal certificate, if only one
of the certificates match the servers requirements" (sorry if not
correct word-by-word, I only have the german texts) and the flag is set
on this topic. The JRE correctly selects only these certificates, that
are signed by the "correct" CA but it seems it's totally ignoring the
key usage of the certificates.
How can I set up the JRE that only certificates with the needed key
usage "Digital Signature" are offered in the message dialog while
perfoming the SSL-client-authentication. And if only one certificates
matches, how can it be selected automatically?
Any ideas are welcome.
Best regards
Ulf
--
Ulf Leichsenring
ulf@leichsenring.net
|