Programmatically retrieve Glassfish's certificates?

I just can't seem to find 开发者_如何学Pythonan explanation of how I can grab the certificate programmatically from Glassfish's keystore from an application running on Glassfish -- short of actually specifying the local system path to the keystore.

Presumably there is some facility for accessing these from within an application to do useful work? My use case is as follows: I would just like to grab the container's keystore and use the client certificate to authenticate against a remote server.

I had the same problem a while ago with a WebSphere. We were deploying an application that needed to access other applications via TLS with client authentication. So our first thought was to reuse the server TLS certificate for the purpose. There was no way to do it other than specifying the path to the key store resource. I think the WebSphere documentation explanation was something along the lines of "separation of concerns" - the SSL/TLS key store was only meant to be used for authenticating the server for connections made to it - not for anything else.

The argument is quite valid if you consider the Key Usage/Extended Key Usage fields and Distinguished Name of such a "server certificate". The DN is the server host name (used for host name verification) and the Extended Key Usage is "server authentication" most of the time.

Although your intention would still be valid if the certificate would additionally feature a "client authentication" Extended Key Usage (it did in our case). If it does then IMO it would be valid to re-use the certificate for that purpose.

But the best argument I heard in the discussion was this: the production servers were maintained by a different group of people than the actual app developers. If the app developers wanted to reuse the server key store file, then the server maintainers would have to tell them the password or at least grant read permissions to the application for for reading the file containing the key store password. Both was unacceptable for their security policies.