13

I am using SSL handshaking to connect to a URL. To do that, i generated a .csr file and got it signed. After signing i created a my.jks file with 3 entries in it

  1. Signed Client Cert
  2. Private Key
  3. CA

I use jetty as server and i have exclusively set the keystore and truststore to the same jks file like this

-Djavax.net.ssl.keyStore=/home/keystore/my.jks
-Djavax.net.ssl.keyStorePassword=changeit
-Djavax.net.ssl.trustStore=/home/keystore/my.jks
-Djavax.net.ssl.trustStorePassword=changeit

It works fine. But is it the right way to do it? I thought the keystore should contain the client certs and private key, and the truststore should contain CA. But when i tried doing this then i get the following error.

"javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"

Please advice on this.

coderslay
  • 13,960
  • 31
  • 73
  • 121

3 Answers3

10

No. A truststore contains nothing but public data: the public certificates of CAs that you trust. A KeyStore contains a private key and its certificate: your digital identity. They may even be controlled by different people. Don't conflate their functions.

user207421
  • 305,947
  • 44
  • 307
  • 483
1

If you want to self-sign the certificate (only if you will be using it for intra-server communication without exchanging any personal/sensitive information):

1) Generate a CSR using -certreq

keytool -certreq -alias keyAlias -keystore locationPk -storepass yourpass -file myowncertrequest.csr

2) Generate certificate using the csr above:

keytool -gencert -infile myowncertrequest.csr -alias keyAlias -keystore locationPk -storepass yourpass -outfile myownsignedcert.cer

3) Import this into a "Separate" trust store

keytool -import -trustcacerts -alias myown -file myownsignedcert.cer -keystore intra_server_truststore -storepass goodpassword

This will create a custom trust store which will only be used within your own domains and for some basic Authentication and Data Exchange. But do use a proper CA to sign these certificates if would be exposing the services to outside world.

ha9u63a7
  • 6,233
  • 16
  • 73
  • 108
  • You don't need to generate a CSR. Just use the `-genkey` option. That generates a keypair and a certificate. One step instead of two. – user207421 Jan 16 '20 at 09:41
0

For the first part of your question, I think this answer covers it pretty much. In short, yes you can point both to the same file, no, it is not best practice. As far as the error you are getting, there are many reasons that could happen, but you could try to add the CA to the cacerts file from JAVA_HOME/jre/lib/security. This makes it available to all JAVA applications.

Community
  • 1
  • 1
BadSkillz
  • 1,993
  • 19
  • 37
  • To be clear, @Bruno's answer that you're citing doesn't actually support your answer of 'yes'. – user207421 Feb 09 '14 at 22:00
  • The last part of his answer: In some cases, they can be one and the same store, although it's often better practice to use distinct stores (especially when they're file-based). Tells me you can put both in one file, altho it's not best practice. – BadSkillz Feb 10 '14 at 09:30