I am developing an client/server application using SSL sockets and a trial certificate from Thawte. The client is a Java applet. The server is an inhouse developed program running on the host the applet is downloaded from - the originating host.
I have performed the following steps:
1. Generate a key pair and keystore using Sun's keytool 1. Generate a CSR. 2. Obtain a 20 day PKCS#7 test certificate from Thawte. 3. Import the test certificate into the original keystore. 4. Sign the jar file with the test certificate (otherwise step 6 is not permitted.) 5. Include the keystore in the applets jar file as a truststore and as a keystore on the host the server runs on. 6. Programatically, read the truststore when creating the SSL socket in the applet.
This process works.
However, I thought that it would be unsecure to include the keystore in the applet. I thought the keystore contained the server's public/private key pair. However, I now realize that when the Thawte signed certificate is imported into the keystore it replaces the original public/private key pair.
What I don't understand is how the encryption takes place. The client is using the keystore containing the signed certificate as its truststore and the server has the same keystore containing the signed certificate. But where is the private key used for encryption? Is this process I have described secure? In other words, if someone retrieved the keystore/truststore from the applet would that be a security hazard? Would it be better to have the applet download the truststore from the server?
I thought I would need two different keystores. The original keystore containing the public/private key pair on the server and a trust store on the client containing the signed certificate. I tried this; however, I was unable to import the signed certificate into a new keystore. I could only import it into the keystore containing the original public/private key pair.