X509ExtendedKeyManager Class

The X509ExtendedKeyManager abstract class is an implementation of the X509KeyManager interface, which allows for connection-specific key selection. The X509ExtendedKeyManager class adds two methods which select a key alias for the client or server based on the key type, allowed issuers, and current SSLEngine object. 
public String chooseEngineClientAlias(String[] keyType,
	Principal[] issuers, SSLEngine engine)
public String chooseEngineServerAlias(String keyType,
	Principal[] issuers, SSLEngine engine)

If a key manager is not a instance of the X509ExtendedKeyManager class, it will not work with the SSLEngine class.

For JSSE providers and key manager implementations, the X509ExtendedKeyManager class is highly recommended rather than the legacy X509KeyManager interface.

In TLS 1.2 and later, both client and server are able to specify which hash and signature algorithms they will accept. To pass the authentication required by the remote side, local key selection decisions must be based on both X509 certificate and the remote accepted hash and signature algorithms. You can retrieve the remote accepted hash and signature algorithms by using the ExtendedSSLSession.getPeerSupportedSignatureAlgorithms() method.

You can create your own X509ExtendedKeyManager subclass in a similar way to that shown in Creating Your Own X509ExtendedTrustManager subclass.

Support for the Server Name Indication (SNI) extension on the server side enables the key manager to check the server name and select the appropriate key accordingly. For example, consider the following three key entries with certificates in the keystore:
  • cn=www.example.com
  • cn=www.example.org
  • cn=www.example.net
If the ClientHello message requests to connect to www.example.net in the SNI extension, the server should be able to select the certificate with subject cn=www.example.net.