Java has very good support for SSL/TLS enabled network connections. But before going into that, let's understand the hierarchy of certificate chaining. There are two certificates involved in the whole process of SSL connection establishment.
- Root Certificate - certificate of credibility of the certificate issuing authorities (CA) like Symantec, GeoTrust, Thawte, DigiCert, GlobalSign etc
- Intermediate Certificate - these certificates are provided to different service providers by the certificate issuing authorities
When a client tries to connect to a server using an SSL connection, the server responds with Intermediate Certificate and the response body. The client then checks for the validity of the Intermediate Certificate by checking whether that certificate have been issues by a trusted CA by looking for the Root Certificate. Once this validation is successful, the connection is established. It is important to note here that the clients need to have a certificate store containing the Root Certificates of all the CAs. For example, the internet browser have it. If the clients don't come pre-packed with certain Root Certificates, such certificates can also be imported. In development/non-production environments, sometimes this whole process is done away with a Self-signed Certificate which isn't issued by a CA, but instead the service hosting server. Needless to say that Root Certificate isn't involved in such cases.
Java provides certain files/tools to handle the SSL/TLS certificates.
- trustStore/keyStore - both of these are represented by the Java class java.security.KeyStore. These refer to the files which are represented by two different properties and are intended for different purposes. Both of these files are password protected.
- keytool - this is used to interact with trustStore and keyStore to manage the key pairs and certificates. Various actions that can be performed with this tool are generating key pairs, exporting and importing certificates, listing and deleting keystore entry, generating certificate request. It doesn't provide a direct way to import private key though.
keyStore - it's defined by two properties namely javax.net.ssl.keyStore and javax.net.ssl.keyStorePassword. It is mainly used in SSL based server environments to store the private key and certificates (Intermediate Certificate) corresponding to your public key. These certificates are sent to clients during SSL based communication. The default format of this file is 'jks' (keystore.jks). But it can also be created in PKCS12 format. This file can be created as per the need basis. keyStores generally use a default password 'changeit'.
trustStore - it's defined by two properties namely javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword. It is mainly used by the SSL based clients. It contains the root certificates of the Certificate Authorities (CA) and a client uses the root certificate to verify if the intermediate certificate returned by the SSL based server is actually issued by a CA which the client trusts. The trustStore that comes pre-bundled with Java can be located $JAVA_HOME/lib/security/cacerts. The file format here is also 'jks' (cacerts.jks). It is also possible to use a different trustStore file than the system provided one.
Although it is entirely possible to use a single file to represent both the keyStore and trustStore, it's a bad practice.
Comments