• Post Reply Bookmark Topic Watch Topic
  • New Topic

how to trust certificates in a java truStstore  RSS feed

 
Ravi Danum
Ranch Hand
Posts: 154
1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Hello Everyone,

I have searched online and can't see how to trust a certificate that has been given to me by a client whose web service I want to connect to.

This certificate can be imported into the java trustStore, but I don't believe it is trusted.

I am running my Java desktop application on a Windows OS?

I don't have system administration privileges -- so is there a way I can trust this certificate?

Thanks for any help.



 
Joe Harry
Ranch Hand
Posts: 10128
3
Eclipse IDE Mac PPC Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You can do this programatically like this:

After you download the certificate manually,

 
Stephan van Hulst
Saloon Keeper
Posts: 7720
142
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If you don't have administrator privileges, you shouldn't go installing certificates. Ask your administrator.
 
Tim Holloway
Bartender
Posts: 18662
71
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
A keystore is simply a (password-protected) database of security credentials. Sorry, Stephan, you don't ahve to be an administrator to use one. Especially when you're using it as a client and not as a server, which is what Ravi wants to do.

A cert stored in a keystore must be part of a "chain of trust". You can't just put together any old cert and use it. You have to be able to get a higher-level cert to vouch for it. There are tools that can be used to display that sort of information. An excellent one is the Java GUI application "portecle". The Linux open-ssl tools are also useful resources.

Eventually, the chain of trust within the keystore ends and it's up to the client application itself to complete the chain. Web browsers carry their own keystore equivalents for the major trust certifiers around the world. Java has one buried within itself somewhere also.

On a client/server request where the server provides the cert, when the chain is complete - and ONLY then - then a client will allow itself to connect to the server offering up the key.

On a client/server request wher the client provides a cert, the client retrieves the requested cert from its keystore and sends it to the server for verification. If the server likes the client cert, it will accept traffic from that client.

And, it is possible for both client and server to swap certs if you're really paranoid.

Client-side certs are convenient because you don't need a password if you have a cert. On the other hand, if my computer breaks and I step to another computer, the password will still work, but the cert won't be on the new compuler (unless maybe I carry it on a USB stick). AND since the cert is on the client computer, anyone who steals/gains unauthorized access to the client computer already has their ticket punched.
 
Ravi Danum
Ranch Hand
Posts: 154
1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Tim,

Thank you very much for this information. This is what I was looking for. Its good to know about the Java tool also.

Ravi
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!