I have a web application in which I am using Spring APIs to get the principal information in the certificate to check for valid user.

Assumption is that app server in which this is deployed contains the trust store that contains the CA's certificate and would validate the authenticity of the incoming request based on the requesting client's certificate and only then send it to the application.

And hence I was not validating the contents of the certificate and was just validating the Common Name (Principal) part in the certificate. Now if I want to write my own trust manager in the application that would validate the certificate against the CA's certificate, How do I acheive the same in Spring?

I know that I need to write custom truststore manager and override checkClientTrusted method, but dont know how to do it and how Spring should be configured to use this custom Trustmanager.. Do anybody know how to do this?

thanks

Nohsib