How to grab a pki certificate with Jersey / Spring?

Question

I would like to grab a pki certificate when a request happens in jersey / spring. I tried doing:

 @GET
 @Path("/testCert")
 @Produces("text/plain")
 public String testCert(@Context HttpServletRequest request)
 {
   X509Certificate[] certs = (X509Certificate[]) request
       .getAttribute("javax.servlet.request.X509Certificate");
   return "Running... \n";
 }

But that didn't grab my cert out of the browser, and I don't know what else to try.

Answer 1

The browser won't send the client certificate unless requested by the server, and you typically need to modify the default server configuration to request a client certificate. For instance, in Tomcat you need to add the attribute clientAuth=true to the Connector element that defines your HTTPS listener. You can also use clientAuth=want * to request a client certificate, but still allow an unauthenticated connection.

If you have your server set up to request a client certificate and it's still not being sent, then you might need to set up the browser and/or server to trust the other's certificate. This is especially relevant if you're using self-signed certificates -- that definitely won't work without importing the client certificate into the browser trust store.

The Tomcat SSL How-to is a good starting point for additional information, some of which is not specific to Tomcat; if you're using a different server you'll obviously need to hunt down its documentation for configuration options.

If all else fails, you can pass -Djavax.net.debug=ssl on the command line to get some insight into what's going on at the SSL layer.

* Older Tomcat versions used optional to invoke this behavior. Consult the documentation for your specific Tomcat version to determine the correct property.