Return all possible aliases from the keystore that could be used to perform client−side SSL encryption for the given key type e.g., RSA or DSA. If the issuers array is not null , it will contain an array of principals who are CAs. The key belonging to an alias in the returned array must have been issued by an entity contained in the array. This method should not return null ; if no appropriate aliases are found, it should return an array of length 0. public String chooseClientAliasString keyType, Principal[] issuers Select the alias from the keystore that should be used to perform client−side SSL encryption for the given key type e.g., RSA or DSA. If the issuers array is not null , the key must be provided by an entity contained in the array. This method should return null if no appropriate alias is found. public String[] getServerAliasesString keyType, Principal[] issuers Return all possible aliases from the keystore that could be used to perform server−side SSL encryption for the given key type e.g., RSA or DSA. If the issuers array is not null , the key must be provided by an entity contained in the array. This method should not return null ; if no appropriate aliases are found, it should return an array of length 0. public String chooseServerAliasString keyType, Principal[] issuers Select the alias from the keystore that should be used to perform server−side SSL encryption for the given key type e.g., RSA or DSA. If the issuers array is not null , the key must be provided by an entity contained in the array. This method should return null if no appropriate alias is found. public X509Certificate[] getCertificateChainString alias Return the array of X509 certificates associated with the given alias. If the keystore contains non−X509 certificates for the given alias, those certificates should be ignored. Note that the method returns an array of java.security.cert.X509Certificate objects, not as do most other classes within JSSE javax.security.cert.X509Certificate objects. public PrivateKey getPrivateKeyString alias Return the private key for the alias. As the API indicates, key managers may be used by both clients and servers in an SSL conversation. They are more frequently used by servers, since servers must always authenticate themselves to clients. Heres an implementation of this interface: package javasec.samples.ch14; import java.net.; import java.security.cert.X509Certificate; import java.security.interfaces.; import java.security.; import java.util.; import javax.net.ssl.; import com.sun.net.ssl.; public class SSLKeyManager implements X509KeyManager { protected String alias; protected KeyStore ks; protected char[] pw; private String type; private String issuer; SSLKeyManagerKeyStore ks, String s, char[] pw { this.ks = ks; alias = s; this.pw = pw; try { java.security.cert.Certificate c = ks.getCertificates; type = c.getPublicKey.getAlgorithm ; issuer = X509Certificate c.getIssuerDN.getName ; } catch Exception e { throw new IllegalArgumentExceptions + has a bad key; } } public String chooseClientAliasString type, Principal[] issuers { if type.equalsthis.type return null; if issuers == null return alias; for int i = 0; i issuers.length; i++ { if issuer.equalsissuers[i].getName return alias; } return null; } public String chooseServerAliasString type, Principal[] issuers { return chooseClientAliastype, issuers; } Get the certificates −− make sure each is an X509Certificate before copying it into the array. public X509Certificate[] getCertificateChainString s { try { java.security.cert.Certificate[] c = ks.getCertificateChains; Vector c2 = new Vectorc.length; for int i = 0; i c.length; i++ c2.addc[i]; return X509Certificate[] c2.toArraynew X509Certificate[0]; } catch KeyStoreException kse { return null; } } public String[] getClientAliasesString type, Principal[] p { String[] s; String alias = chooseClientAliastype, p; if alias == null s = new String[0]; else { s = new String[1]; s[0] = alias; } return s; } public String[] getServerAliasesString type, Principal[] p { return getClientAliasestype, p; } public PrivateKey getPrivateKeyString alias { try { return PrivateKey ks.getKeyalias, pw; } catch Exception e { return null; } } } This key manager is initialized with a keystore and the particular alias in the keystore that you want to use. Since weve specified an alias we treat client and server authorization the same way, though you could extend this idea to provide different aliases or otherwise treat the server authentication differently. As a result of this simplification, most methods end up calling the choose−ClientAlias method. This method checks to see if the key algorithm type matches and, if appropriate, if the key was provided by an entry in the issuers array. If everything matches, it returns the alias we want; otherwise it returns null . The key manager itself must come from a key manager factory. [1] Hence, the next step we must take is to write a class that extends the KeyManagerFactorySpi class com.sun.net.ssl.KeyManagerFactorySpi . That class contains the following abstract methods: [1] Strictly speaking, this isnt true: we could instantiate the SSLKeyManager object directly, create an array for it, and pass that to the init method of the SSL context. But that violates the spirit of the Java security framework. protected abstract void engineInitKeyStore ks, char[] password Initialize the key manager factory, using the given keystore and password. This method may throw a KeyStoreException , a NoSuchAlgorithmException , or an UnrecoverableKeyException , as necessary. protected abstract KeyManager[] engineGetKeyManagers Return the array of key managers that work with the initialized keystore and password. Heres how we implement the engine: package javasec.samples.ch14; import java.security.; import javax.net.ssl.; import com.sun.net.ssl.; public class SSLKeyManagerFactory extends KeyManagerFactorySpi { char[] pw; KeyStore ks; String alias; public SSLKeyManagerFactory { alias = System.getPropertyxyz.aliasName; if alias == null throw new IllegalArgumentException Must specify alias property; } protected KeyManager[] engineGetKeyManagers { SSLKeyManager[] km = new SSLKeyManager[1]; km[0] = new SSLKeyManagerks, alias, pw; return km;