SSL TrustStore and KeyStore

Mingch Uncategorized No Comments

Keystore

  • A file with extension jks serves as keystore. Java KeyStore (jks) is a repository of security certificates, either authorization certificates or public key certificates – used for instance in SSL encryption.
  • Keystore store private key and certificates correspond to the public keys
  • provide credentials
  • used by key manager to decides which credentials sent to remote host for authentication during ssl handshake

Truststore

  • store public key or certificates from CA which is used to trust remote party / ssl connections
  • verify credentials
  • used by trust manager to determine remote connection should trust or not.

Import

sudo keytool -import -file "your.pem" -keystore /usr/lib/jvm/java-6-oracle/jre/lib/security/cacerts -storepass "changeit" -alias "codeomitted.internal.service"

//If the -trustcacerts option has been specified, additional certificates are considered for the chain of trust, namely the certificates in a file named "cacerts".

sudo keytool -import -trustcacerts -alias "codeomitted.internal.service" -file "your.pem" -keystore keystore.pks -noprompt -v

Verify your import

keytool -list -v -keystore /usr/lib/jvm/java-6-oracle/jre/lib/security/cacerts

To remove keystore import

keytool -delete -alias "your alias" -keystore

Troubleshoot

Troubleshoot your import process by running this command and look for the -Djavax.net.ssl.trustStore

"ps -ef | grep java"

On the client side, when you are dealing with self signed certificate are waste of times. Self signed certificate are incomplete or information such as CN are not sames as the domains such as when they are using IP address or someother internal use domains. Both will give u the java exceptions.

Problem with incomplete information

When java verify CN in the certificates is not sames as the host name.

javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching <alias> found

Alias name: codeomitted.internal.service
Creation date: Jan 21, 2014
Entry type: trustedCertEntry

Owner: CN=localhost
Issuer: CN=localhost
Serial number: 51dac705
Valid from: Mon Jul 08 22:04:53 MYT 2013 until: Sun Oct 06 22:04:53 MYT 2013
Certificate fingerprints:
	 MD5:  77:62:E2:8E:82:8E:23:85:38:AB:18:1F:98:21:73:64
	 SHA1: DC:FC:62:7A:9E:C8:75:0F:AB:E8:DD:D0:72:7C:93:1C:26:E8:28:79
	 Signature algorithm name: SHA1withRSA
	 Version: 3

Problem with IP address as domain

javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present

So just skip it

Yes, just skip it or recreate the self signed certificate and put your CN same as where the host name is.

public static void skipChecking() {
javax.net.ssl.HttpsURLConnection.setDefaultHostnameVerifier(
   new javax.net.ssl.HostnameVerifier() {
      public boolean verify(String hostname, javax.net.ssl.SSLSession sslSession) {
         return true;
      }
   }
}
);
SSL TrustStore and KeyStore

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.