We've built a Java EE app in JBoss that exposes web services to external consumers. We want to secure these services so that we know who is making the web service invocations. We have a registration process that requires the consumers to upload their public key so that we can add it to our truststore. However it is currently a manual process of using the keytool from the command line to add them to the truststore.
This whole setup seems rather primitive. I don't like the idea of a truststore on the filesystem that is not part of the database. There must be an approach that lets you utilize the database to store the certs. Should I put the certs in a blob column, and roll my own custom TrustManager that pulls the public key out of the db and verifies the signature? Or is there some other generally implemented open-source solution to this problem?
Why don't you just store the PEM file in database? It can be a BLOB or a text column.
Google's web app registration is a good example,
Look at step 4: Upload a security certificate.