Should we point KeyStore and TrustStore to the same .jks file?

StackOverflow https://stackoverflow.com/questions/21633274

  •  08-10-2022
  •  | 
  •  

Question

I am using SSL handshaking to connect to a URL. To do that, i generated a .csr file and got it signed. After signing i created a my.jks file with 3 entries in it

  1. Signed Client Cert
  2. Private Key
  3. CA

I use jetty as server and i have exclusively set the keystore and truststore to the same jks file like this

-Djavax.net.ssl.keyStore=/home/keystore/my.jks
-Djavax.net.ssl.keyStorePassword=changeit
-Djavax.net.ssl.trustStore=/home/keystore/my.jks
-Djavax.net.ssl.trustStorePassword=changeit

It works fine. But is it the right way to do it? I thought the keystore should contain the client certs and private key, and the truststore should contain CA. But when i tried doing this then i get the following error.

"javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"

Please advice on this.

Was it helpful?

Solution

No. A truststore contains nothing but public data: the public certificates of CAs that you trust. A KeyStore contains a private key and its certificate: your digital identity. They may even be controlled by different people. Don't conflate their functions.

OTHER TIPS

If you want to self-sign the certificate (only if you will be using it for intra-server communication without exchanging any personal/sensitive information):

1) Generate a CSR using -certreq

keytool -certreq -alias keyAlias -keystore locationPk -storepass yourpass -file myowncertrequest.csr

2) Generate certificate using the csr above:

keytool -gencert -infile myowncertrequest.csr -alias keyAlias -keystore locationPk -storepass yourpass -outfile myownsignedcert.cer

3) Import this into a "Separate" trust store

keytool -import -trustcacerts -alias myown -file myownsignedcert.cer -keystore intra_server_truststore -storepass goodpassword

This will create a custom trust store which will only be used within your own domains and for some basic Authentication and Data Exchange. But do use a proper CA to sign these certificates if would be exposing the services to outside world.

For the first part of your question, I think this answer covers it pretty much. In short, yes you can point both to the same file, no, it is not best practice. As far as the error you are getting, there are many reasons that could happen, but you could try to add the CA to the cacerts file from JAVA_HOME/jre/lib/security. This makes it available to all JAVA applications.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top