I am trying to test a simple Java desktop application that just opens a URL connection via HTTPS using the URL class and passing a "https://...." URL). I need to connect to one of our internal servers for this test.
Our server guys created a self-signed certificate (*.cer file) and gave it to me.
Do I import the *.cer file into my JRE's cacerts file? Should I import it into a different place (a trust store)? How do I import it?
What is the difference between a keystore and a trust store? Do they both contain public key certificates?
I'm not sure I understand the -trustcacerts option on keytool.
Many thanks in advance.
Joined: Jun 20, 2008
Hello again everyone,
I forgot to say in my original post...
From my reading I think I need a trust store (not a key store). I think I should import the *.cer file (the certificate I was given) into a trust store.
How do I create a trust store and how do I import the *.cer file into it? Then, how/where do I deploy that to my JRE?
I guess I run keytool with the "correct" arguments. What file does it produce? What do I do with that file? Do I just copy it to my $JAVA_HOME/jre/lib/security directory?
File format/content point of view, there absolutely no difference between KeyStore and TrustStore because it is actually a KeyStore you would be marking as TrustStore for Java Security library to use.
This is how the SSL certificates and Java applications work.
1. When you connect to a SSL server, java application asks the server to send its certificate
2. Client checks if the certificate is valid (like signature, validity date etc)
3. If step 2 validates successfully, java client validate if the issuer of the certificate can be trusted. This is where the trust store comes into picture. Java, by default, goes to <jre>/lib/security/cacerts file to see if the issuer can be accepted. If the (last) issuer is not found in that trust store, it throws exception.
4. In theory, to test your ssl application in test mode, you can add the server certificate (given by your admin) to the default cacerts (which is very very bad approach) or create a new trust store with that certificate and use that in your application (this is preferred approach)