File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Security and the fly likes Applets, SSL Sockets, and Certificates Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "Applets, SSL Sockets, and Certificates" Watch "Applets, SSL Sockets, and Certificates" New topic

Applets, SSL Sockets, and Certificates

Gary Blomquist

Joined: Dec 07, 2001
Posts: 14
I am developing an client/server application using SSL sockets and a trial certificate from Thawte. The client is a Java applet. The server is an inhouse developed program running on the host the applet is downloaded from - the originating host.

I have performed the following steps:

1. Generate a key pair and keystore using Sun's keytool
1. Generate a CSR.
2. Obtain a 20 day PKCS#7 test certificate from Thawte.
3. Import the test certificate into the original keystore.
4. Sign the jar file with the test certificate (otherwise step 6 is not permitted.)
5. Include the keystore in the applets jar file as a truststore and as a keystore on the host the server runs on.
6. Programatically, read the truststore when creating the SSL socket in the applet.

This process works.

However, I thought that it would be unsecure to include the keystore in the applet. I thought the keystore contained the server's public/private key pair. However, I now realize that when the Thawte signed certificate is imported into the keystore it replaces the original public/private key pair.

What I don't understand is how the encryption takes place. The client is using the keystore containing the signed certificate as its truststore and the server has the same keystore containing the signed certificate. But where is the private key used for encryption? Is this process I have described secure? In other words, if someone retrieved the keystore/truststore from the applet would that be a security hazard? Would it be better to have the applet download the truststore from the server?

I thought I would need two different keystores. The original keystore containing the public/private key pair on the server and a trust store on the client containing the signed certificate. I tried this; however, I was unable to import the signed certificate into a new keystore. I could only import it into the keystore containing the original public/private key pair.

Thanks for your assistance,

Gary Blomquist
I agree. Here's the link:
subject: Applets, SSL Sockets, and Certificates
jQuery in Action, 3rd edition