Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Custom trustStore with cacerts as a fallback for keys not in custom trustStore

Tags:

java

ssl

Is there a way via command line or via a custom Trust Manager, to create a custom trustStore that is backed by the cacerts?

The application uses a custom trustStore:

-Djavax.net.ssl.trustStore=/SSL/CATrust.jks

To hold our own trust certs and this was done in a custom file to simplify the upgrading of a JDK without having to migrate the cacerts.

The problem is that the cacerts carries so many standard certs, which we have not imported into CATrust.jks. Because of this, we receive SSL errors because the custom CATrust.jks that is supplied via the command-line property is exclusive and not additive (in addition to the cacerts certs).

So is there a way to supply a custom trustStore and if the cert is not found within that trustStore, the server/application will fallback to trying to find the cert within the cacerts (or a secondardy trustStore)?

So far from the initial reading and other posts, the information talks about only having a single trustStore where all CA certs are.

like image 314
Jay Blanton Avatar asked Nov 06 '12 17:11

Jay Blanton


People also ask

Is cacerts a truststore or keystore?

'cacerts' is a truststore. A trust store is used to authenticate peers. A keystore is used to authenticate yourself.

What type of truststore is cacerts?

Truststore file, cacerts. jks, contains the Application Server's trusted certificates, including public keys for other entities. For a trusted certificate, the server has confirmed that the public key in the certificate belongs to the certificate's owner.

What is the difference between a keystore and a truststore?

Keystore is used to store private key and identity certificates that a specific program should present to both parties (server or client) for verification. Truststore is used to store certificates from Certified Authorities (CA) that verify the certificate presented by the server in SSL connection.

What is custom trust store?

A custom trust store is simply another keystore file containing the custom trust roots. Unlike default trust store, a configuration step is required enable use of a custom trust store. A trust store defines the roots of the certificate trust chain.


1 Answers

As part of your deployment, you could make a copy of the default cacerts and import the contents of your own keystore into it (or the other way around):

cp /path/to/cacerts merged.jks
keytool -importkeystore -srckeystore /SSL/CATrust.jks -destkeystore merged.jks

It would certainly be better to avoid using the same alias names (check the options for keytool -importkeystore for further details, especially if this has to be part of a script).

like image 103
Bruno Avatar answered Sep 28 '22 04:09

Bruno