Trust only my selfsigned certificate in httpclient

Question

I generated selfsigned certifiacte to use it to authenticate my web appliaction. Clients instead of web browser use client application to comunicate with web server. Client application uses httpclient. The internet is full of examples of how to trust all the ssl certificates in httpclient. I don't want to trust all certificate, I want trust only one, my selfsigned certificate (of course every CA trusted certificate also). I know that I can add my certificate to trusted keystore using keytool, but I don't want to interface in JSSE keystore. I want to say httpclient to trust one specific selfsigned certificate.

First question:

Is it possible?

Second question:

Described solution is ok in development environment. I'm think that is bad practice, but I wonder that is it acceptable in production environment?

Answer 1

Is it possible?

Of course, it is. You just might need to do more work managing your trust material and initializing the SSL context for your application. You can choose to trust one and only certificate, or you can choose to use trust material shipped with JRE and then selectively add trust material specific to your application.

You could use SSLContextBuilder from Apache HttpClient 4.3 to simplify the process of trust and key material management and initialization

is it acceptable in production environment?

This very much depends on the security context and requirements of your application. Trusting only one specific certificate without trusting any of standard CAs might make your application marginally less susceptible to man-in-the-middle exploits but will require re-configuration and possibly redeployment every time the certificate in question expires or gets revoked. It will also become your responsibility to ensure that the private key will not fall into the wrong hands. It is a combination of pros and cons.