Access to the "Intermediate Certification Authorities" keystore?

Mar 29, 2011 at 7:18 PM
Edited Mar 29, 2011 at 7:24 PM

Java provides access to the Windows personal and trusted root CAs keystores using code like this:

KeyStore rootCaCerts = KeyStore.getInstance("Windows-ROOT", "SunMSCAPI");

I have a situation where the user certs I'm dealing with are not in the Windows keystore (they're on a smart card), but the associated CA certs are in the Windows keystores. The user certs are issued by intermediate CAs, and the certs for those CAs are in the Intermediate keystore. I have no programmatic access to that keystore, which makes it impossible to build a trusted certificate chain.

Does Waffle provide a way to do this?

Mar 30, 2011 at 11:23 AM

Waffle doesn't do anything with key stores, at least not explicitly. If there's a Win32 API to do this, we can call it. What would an actual user logon scenario be?

Oct 2, 2011 at 8:13 PM

I have a situation as well where the user certs I am dealing with are on a PIV card (smart card) and the associated CA certs are from an outside authority. We have a web application that uses Apache as the webserver. We can tie in the LDAP authentication without any issues into the web appliation. What we would like to do is use the PIV card with its cert and PIN to log in with SSO into the network and the web application. Is this possible with Waffle?

Oct 5, 2011 at 12:10 PM

@tsmith3601: it depends, but on Windows the short answer should be yes. If you can login to the machine with this smart card and then do SSO to an IIS server, waffle will do the same for your Apache server. Now, we don't support Apache, but we do support any other container-based system like Tomcat.

Oct 5, 2011 at 12:59 PM

Thank you for your reply. We are using the Tomcat container however we are using Apache as the web server. Is there any documented steps on achieving this with waffle?

Oct 5, 2011 at 2:05 PM

Just like any other tomcat. See the docs/tutorials/faq.