1

I have a server application and a client application.

The server uses https, and has a .jks file. Apart from that, I use authentication with login and password.

I wonder if the client side should use a .cert certificate. I thought the client's certificate should match servers certificate, but it seems that I was wrong.

I have some troubles understatding the topic, so please be understanding.

Someone
  • 369
  • 2
  • 8
  • 24

1 Answers1

2

Keystore

A Java KeyStore (JKS) is a repository of security certificates – either authorization certificates or public key certificates – used for instance in SSL encryption.

  • In IBM WebSphere Application Server and Oracle Weblogic Server, a file with extension jks serves as keystore.
  • The Java Development Kit maintains a CA keystore in folder jre/lib/security/cacerts.

Keystore comes in two flavors:

1. Trust:
A trust store contains certificates that are issued by somebody you trust, like a root certificate from a CA.

2. Identity:

  • An identity store contains your own certificates and they are used to authenticate you when you access an external service.
  • A trust store does not contain sensitive information, while identity stores contain very sensitive information like private keys.
  • Contains a demonstration private key for server. This keystore establishes an identity for the server.

I wonder if the client side should use a .cert certificate.

If you mean to connect to a HTTPS service, then you should export the server's SSL certificate and import in your server's keystore, probably you can import in jre/lib/security/cacerts.

Client is only required to have a SSL certificate if it is a 2 way SSL, meaning client is also required to send a SSL certificate to server because server has requested the same.

Why it is required because using SSL handshake server will send its SSL certificate and client will validate this certificate from its trusted list of certificates present in his keystore. If it is not validated then SSL handshake cannot be completed, and hence no communication can be established. So, you must have server's SSL certificate inside your trusted store of certificates.

I thought the client's certificate should match servers certificate, but it seems that I was wrong.

Yes, you are right, SSL certificates of 2 different parties will be different.

Each party who requires a SSL certificate will generate the public-private key pair at their end and will raise a CSR request to a Certificate Authority (CA), who will generate the SSL certificate using the provided key.

How to export and import SSL certificates

To export certificate:

If it can be accessed using web then click on HTTPS icon, view certificate and follow export commands.

If it cannot be accessed using web then use openssl to export certificate. Use below command

openssl s_client -connect host:port -key our_private_key.pem -showcerts -cert our_server-signed_cert.pem

To import certificate:

Use command - keytool -import -trustcacerts -file /path/to/ca/ca.pem -alias CA_ALIAS -keystore $JAVA_HOME/jre/lib/security/cacerts

Further reading on export and import:

Community
  • 1
  • 1
hagrawal7777
  • 14,103
  • 5
  • 40
  • 70
  • "you should export the server's SSL certificate and import in your server's keystore" - I don't understand, why and how to do that? I'm confused. My server doesn't have SSL certificate, only the keystore. – Someone Oct 27 '15 at 17:04
  • See my edit for how to export and import. You need not to have SSL certificate, you should only import the server's SSL certificate inside your trusted keystore. I have already told in my answer "*Client is only required to have a SSL certificate if it is a 2 way SSL*". – hagrawal7777 Oct 27 '15 at 17:09
  • You mean 'server' like tomcat? Ok. BTW, if 1 way SSL is safe, why use 2 way SSL? – Someone Oct 27 '15 at 17:29
  • "*if 1 way SSL is safe, why use 2 way SSL*" - Typically client is required to authenticate the server but sometime server also requests the client's identity, in those scenarios 2 way SSL is required. If all this answers your question, then would you mind accepting the answer. Please feel free to let me know if you have any other doubt. – hagrawal7777 Oct 27 '15 at 17:30
  • ok, if I have a certificate in client application, how to verify it on the server's side? – Someone Oct 28 '15 at 14:29
  • Could you please elaborate ?? – hagrawal7777 Oct 28 '15 at 14:30
  • I'm talking two way SSL. Do I need to have two keystore files, one for the server with a client cert, and one for the client with a server cert? – Someone Oct 28 '15 at 14:44
  • For 2 way SSL, in server-server communication - you need to have a SSL certificate in your server and present in your **identity** keystore (getting a good SSL certificate is not an easy process) ..For 2 way SSL, in client-server communication - your browser should have it and be able to sent it to server .. Given the information you had provided earlier I think you don't need all this complexity .. If you really want to do it, then you need to read a lot about 2 way SSL etc. .. Anyways I have provided you all the needed information to know the basics .. Please let me know if any question .. – hagrawal7777 Oct 28 '15 at 21:01
  • I have a client which is a desktop application and I have a server application. What I have done so far is I made two keystores, I imported to each of them a cert from the another keystore ( two keystore files, one for the server with a client cert, and one for the client with a server cert). – Someone Oct 28 '15 at 23:13
  • But I have to send this certificates somehow, probably, I need to find out how. I do all of that to make sure that the client application is authentic application, I don't want another application to connect to the server, and I also need to have a connection which is secure (so no one can read the data that is being send). – Someone Oct 28 '15 at 23:17
  • Why you need browser/desktop application to authenticate to server? I really cannot understand, it generally doesn't happen. 2 way SSL is more about server to server communication where both server parties can ask for certificates for authentication. – hagrawal7777 Oct 29 '15 at 14:07
  • 1
    Ok, the topic is more clear now for me. Thank you for your time. – Someone Nov 01 '15 at 20:32