How to use CCP Client Certificate Authentication with Java

java-ccp-clientcert.java

// This is “first-party” way to do it, using only plain Java libraries.

// Starting from the top, one needs to configure an HTTP client. The only requirement here is that we need something that can accept an instance of `javax.net.SSLContext`, which it can use to create connections.

// This `SSLContext` is the class that can be configured to facilitate the authentication, but it must be done with the `javax.net.ssl.KeyManager` class.

// To create the `KeyManagers`, one can use `KeyManagerFactory` as follows:

KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
KeyStore clientCertKeyStore = getKeyStoreWithKey(cyberArkCCP.getKey(), cyberArkCCP.getKeyPassword());
keyManagerFactory.init(clientCertKeyStore, cyberArkCCP.getKeyPassword().toCharArray());

KeyManager[] keyManagers = keyManagerFactory.getKeyManagers();

// Where `getKeyStoreWithKey` returns a `KeyStore` with the client certificate (both public and private) key are loaded (`KeyStore.load`).

// Finally, we can get the `SSLContext` to use the `KeyManagers` as follows:

sslContext.init(keyManagers, trustManagerFactory.getTrustManagers(), null);

// Note that I used a `TrustManagerFactory` I prepared earlier – I believe the value `null` will cause the `SSLContext` to retrieve the default trust managers.

// Once this `SSLContext` is delivered to a client, then that should be it – the presence of the `KeyManagers` should let the HTTP client carry out the authentication.