Menu
Is there a way via command line or via a custom Trust Manager, to create a custom trustStore that is backed by the cacerts?
The application uses a custom trustStore:
-Djavax.net.ssl.trustStore=/SSL/CATrust.jks
To hold our own trust certs and this was done in a custom file to simplify the upgrading of a JDK without having to migrate the cacerts.
The problem is that the cacerts carries so many standard certs, which we have not imported into CATrust.jks. Because of this, we receive SSL errors because the custom CATrust.jks that is supplied via the command-line property is exclusive and not additive (in addition to the cacerts certs).
So is there a way to supply a custom trustStore and if the cert is not found within that trustStore, the server/application will fallback to trying to find the cert within the cacerts (or a secondardy trustStore)?
So far from the initial reading and other posts, the information talks about only having a single trustStore where all CA certs are.
314
'cacerts' is a truststore. A trust store is used to authenticate peers. A keystore is used to authenticate yourself.
Truststore file, cacerts. jks, contains the Application Server's trusted certificates, including public keys for other entities. For a trusted certificate, the server has confirmed that the public key in the certificate belongs to the certificate's owner.
Keystore is used to store private key and identity certificates that a specific program should present to both parties (server or client) for verification. Truststore is used to store certificates from Certified Authorities (CA) that verify the certificate presented by the server in SSL connection.
A custom trust store is simply another keystore file containing the custom trust roots. Unlike default trust store, a configuration step is required enable use of a custom trust store. A trust store defines the roots of the certificate trust chain.
As part of your deployment, you could make a copy of the default cacerts and import the contents of your own keystore into it (or the other way around):
cp /path/to/cacerts merged.jks
keytool -importkeystore -srckeystore /SSL/CATrust.jks -destkeystore merged.jks
It would certainly be better to avoid using the same alias names (check the options for keytool -importkeystore for further details, especially if this has to be part of a script).
103
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
