Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>It seems there are two issues here: generating the certificate on the dynamically ("<em>What I would like to do is create a certificate at runtime and use it.</em>") and setting it up without restarting ("<em>Is it possible to change keystore at runtime?</em>").</p> <ul> <li><p>To generate a certificate dynamically, you can use <a href="http://www.bouncycastle.org/wiki/display/JA1/X.509+Public+Key+Certificate+and+Certification+Request+Generation" rel="nofollow">BouncyCastle and its <code>X509V3CertificateGenerator</code> class</a>.</p> <ul> <li><p>First, generate a self-signed CA (with the CA basic constraint set), using <a href="http://docs.oracle.com/javase/7/docs/technotes/tools/windows/keytool.html" rel="nofollow">keytool</a> for example (look at the <code>-ext</code> option for details). This will be your custom CA.</p></li> <li><p>Export the certificate from that keystore (only the CA certificate, not its private key) and import it into the clients you're going to use.</p></li> <li><p>In your application, using that private key for signing with the <code>X509V3CertificateGenerator</code>, and make sure the Issuer DN you use matches the Subject DN of the CA cert you've generated above.</p></li> <li><p>Then, you'll need to configure the certificate generate with a Subject DN (or Subject Alternative Name) that matches the host name your client intended to contact. This may be the tricky bit if you intend to do this automatically as some sort of transparent proxy. (As far as I know, current versions of Java can't read the name coming from the SNI extension, at least not in advance or without doing more manual processing.) The easier way would certainly be to have this host name as a configurable option in your tool.</p></li> </ul></li> <li><p>To set it up without restarting the server, you could implement your own <code>X509KeyManager</code> that stays in place in the <code>SSLContext</code> you're using, but for which you keep a reference and custom accessors to re-configure the certificate later on. It's certainly not necessarily something "clean", and I haven't tried it, but it should work in principle. (You should certainly make sure the concurrency aspects are handled properly.)</p> <p>This might allow you not to have to shut down the listening socket, reconfigure the <code>SSLContext</code> and restart the socket. Considering that you might need to interact with your application anyway (to reconfigure the host name), this might be overkill.</p></li> </ul>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload