Friday, July 18, 2014

Java Keystore for SSL



Keystore is a file which stores security or authorization certificates. We can say it is a repository of certificates. In java in order to connect to an ssl enabled service , ssl certificate of the service needs to be added in the keystore of Java. This is also called as trust store. By default "cacert" file in "jre/lib/security" directory is the trust store. But we can define another file as trust store by adding following parameter while we running the application.


Why keystore?

If your java program needs to connect a webservice or need to download something over ssl then you need to import the certificate/trust to your keystore. 

How can import a trust to keystore?

we can use openssl command for getting the trust and also for importing to keystore.

    openssl s_client -connect hostname_of_service:ssl_port >trust.cert

Open the trust.cert with a text editor and delete the lines before -BEGIN CERTIFICATE-  and the content after -END CERTIFICATE- line. Then save the file.
using following command we can import this trust to our keystore. Here I am trying to import to cacert of java. But if you are defining the file other than cacert you can use that file name as keystore file.

    keytool -import -alias "tomcat" -file trust.cert -keystore /java-6-openjdk-amd64/jre/lib/security/cacerts

The above command will prompt for password.

Note:- Instead of /java-6-openjdk-amd64/jre/lib/security/cacerts you can use the file which you are going to use as keystore.


If you are using eclipse check whether the correct Java is using . Because if there is multiple Java installed and  we configured a Java without our required keystore then  SSL connectivity will fail.

No comments:

Post a Comment

Which operating system you like most?