Geek Answers Handbook

Should we point KeyStore and TrustStore to the same .jks file?

I am using an SSL connection to connect to a url. To do this, I generated a .csr file and signed it. After signing, I created my.jks file with 3 entries in it

  • Signed Client Certificate
  • Private key
  • CA

I use jetty as a server and I exclusively installed the keystore and truststore in the same jks file as this one

-Djavax.net.ssl.keyStore=/home/keystore/my.jks -Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.ssl.trustStore=/home/keystore/my.jks -Djavax.net.ssl.trustStorePassword=changeit

It works great. But is it right to do this? I thought that the keystore should contain client certificates and a private key, and the proxy should have a CA. But when I tried to do this, I get the following error.

"javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Failed to create PKIX path: sun.security.provider.certpath.SunCertPathBuilderException: could not find a valid certification path for the requested target

Consult with us.

+6
source share
3 answers

No. The trust store contains nothing but public data: public CA certificates that you trust. KeyStore contains the private key and its certificate: your digital identifier. They can be controlled even by different people. Do not associate their functions.

+4
source

If you want to sign the certificate yourself (only if you will use it for intra-server communication without exchanging personal / confidential information):

1) Create a CSR using -certreq

keytool -certreq -alias keyAlias -keystore locationPk -storepass yourpass -file myowncertrequest.csr

2) Create a certificate using csr above:

keytool -gencert -infile myowncertrequest.csr -alias keyAlias -keystore locationPk -storepass yourpass -outfile myownsignedcert.cer

3) Import this into the Separate Trust repository

keytool -import -trustcacerts -alias myown -file myownsignedcert.cer -keystore intra_server_truststore -storepass goodpassword

This will create a custom trust store that will only be used in your own domains and for some basic authentication and data exchange. But you should use an appropriate CA to sign these certificates if they expose services to the outside world.

+1
source

In the first part of your question, I think this answer covers it to a large extent. In short, yes, you can point both to the same file, no, this is not the best practice. Regarding the error you are getting, there are many reasons that can happen, but you can try adding the CA to the cacerts file from JAVA_HOME / jre / lib / security. This makes it available for all JAVA applications.

0
source

More articles:


All Articles