I am working on the Java web service and using Tomcat server. Since this application would be B2B, so we require Client Authentication. We are using openssl for creating a certificate. For each user we will create a self signed certificate and we will send it through mail or something. Now here problem comes, when client make a call to server over a secured connection, client should send the certificate provided by server. I want that client can send the certificate for client authentication, without any code implementation on client side. Is there any way to achieve this? Can someone tell me the exact steps required to implement this?
Share
Stop right there. This is already insecure. It implies that you have the user’s private key. The user, and only the user, should have the user’s private key. The user should generate his own private key and if you insist his own self-signed certificate, or better still get it signed by a CA. He should then send it to you if you need it for any reason.
What you are doing is completely back to front and from the legal/security point of view utterly worthless. In fact it contains major legal risks that you need to inform yourself about before proceeding any further. One of those is complete loss of non-repudiation of user transactions. This is enough to shut down your business.