server-side authentication with ssl: sending certificate file from client

Question

i've successfully set SSL authentication up with certificates: configured Apache http-client, configured the server (weblogic, CLIENT-CERT login-config if that matters), tested that it works.

however, in the client code i have to hardcode path to trust-store (either manually initializing TrustManagerFactory or through respective JVM properties) and its password also and i don't feel it's right. additionally, the certificates have to be manually registered on the client-side with keytool , which is also not so flexible.

so, is there a way to completely avoid all that? ideally the client will have certificate file bundled with it, sending it to the server when requested to do so. i tried to google it, but never found how to manually stream a certificate file .

UPDATE

as suggested here , i tried to read certificate file into a new keystore with no password and initialize both KeyManagerFactory and TrustManagerFactory with this keystore:

CertificateFactory cf = CertificateFactory.getInstance("X509");
Certificate cer = cf.generateCertificate(new FileInputStream("myFile.cer"));

KeyStore defaultKeyStore = KeyStore.getInstance(KeyStore.getDefaultType());
defaultKeyStore.load(null, "".toCharArray());
defaultKeyStore.setCertificateEntry("alias", cer);

trustManagerFactory.init(defaultKeyStore);
keyManagerFactory.init(defaultKeyStore, "".toCharArray());

SSLContext ctx = SSLContext.getInstance("SSL");
ctx.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);

but it didn't work. usual exception "peer not authenticated". i guess it's because i need corresponding private key also, but there's no way to get it...

Answer 1

If you want to trust for example one specific server certificate, you could add the X.509 certificate to your classpath and use an javax.net.ssl.X509TrustManager (produced from your TrustManagerFactory). No need for a keystore (and keytool) then.