Elytron: Configure authentication with certificates without having client's certificate in truststore

[Sagar Shrivastava]

Hi

As a reqirement for our enterprise product, I was trying to "Configure Authentication with Certificates" in Wildlfy Elytron, where I see the following limitation:
"IMPORTANT: The decoded principal * MUST* must be the alias value you set in your server’s truststore for the client’s certificate."

According to this, client certificate is needed in the server's truststore.

However, as part of one of our requirements, it is important for us to not provide the client certificate into the truststore. It is okay for us to provide a root/subroot certificate but we cannot provide the client certificate into the truststore. Is there any way to not provide the client certificate into truststore and still be able to configure authentication with certificates? Need some help here. 

Thanks,

Sagar

[dvilkola]

Hello. This blog post might be useful: https://developer.jboss.org/people/fjuma/blog/2019/06/14/using-elytron-certificate-based-authentication-with-authorization , it explains how to use certificate based authentication/authorization without the need to store individual client's certificate in the server’s truststore.