Only accept certain certificates

Question

I have created my own CA, and I want to use its certificates to communicate with a server using SSLSockets. I can do that with the truststore I am currently using, but I would like to be more restrictive, so that my server only accepts connections from the clients I explicitly decide, which must own certificates signed by my CA (right now, anyone with a certificate signed by my CA is granted access). The goal behind this is to be able to revoke certificates, by eliminating some certificates from the server's truststore.

Imagine there are two devices, A and B, both with signed certificates by my CA. I only want to grant access to A, not B. If I only have in the server's truststore A's certificate, I get a BadCertificate exception for both of the clients; the moment I add my CA's pem file both A and B are granted access, regardless of whether A's or B's certificates are explicitly added to the truststore.

Any ideas or alternatives to this approach? Thanks.

Answer 1

The revocation part of a PKI infrastructure (eg what you get if you have your own CA) is usually done with CRL (certificate revocation lists) or OCSP (online certificate status protocol).

If this is too much effort for a small PKI with only few clients you can also hard code the fingerprints of the certificates your accept (white list) or which got revoked (blacklist) into your application and check on each connect if the certificate you got matches the fingerprint. Of course you need to update the application on each revocation (blacklist) or whenever you issue a new certificate (white list) so this does not scale very well. But the same problems occurs with CRLs which need to be distributed to each client.

OCSP scales much better because the client try to retrieve the revocation status on connect, but then you need to setup an OCSP responder.