Self-signed certificates in Java

Secure communication is a key goal in modern business client-server applications. Nowadays, clients are mostly web browsers. However, exchanging or syncing data between applications in a secure manner is getting more and more important. Getting costly trusted certificates for each development, testing or staging server is an overkill. That is why self-signed certificates come with help.

Self-signed certificates are certificates not signed by trusted certificate authorities (CAs). They are commonly used in development, testing, and staging environments.

The problem with self-signed certificates, in general, is that Java Runtime Environment (JRE), operating systems, browsers do not know anything about them so they block any traffic.

Solutions

Java differentiates two certificate repositories, i.e. keystore and truststore. Keystore contains public key certificates with corresponding private keys. Truststore includes trusted certificate authorities (CAs).

To keep it simple, keystore is used in client authentication in requests to a remote server, whereas truststore is used in server identity verification.

JDK/JRE Default truststore

Java Runtime Environment (JRE) truststore is a default trusted certificate authorities repository. Each CA certificate put in this repository is available to every Java application.

[path-to-jdk-or-jre]/jre/lib/security/cacerts

Default password is changeit.

Custom truststore passed as a JVM argument

In many setup scenarios, a custom truststore file is a better solution than putting untrusted certificate authorities in a default JRE truststore.

The custom truststore file can be passed as an argument:

-Djavax.net.ssl.trustStore=absolute-path-to-trustStore
-Djavax.net.ssl.trustStorePassword=changeit
-Djavax.net.ssl.trustStoreType=jceks

Software

KeyStore Explorer

KeyStore Explorer is an open source GUI replacement for the Java command-line utilities keytool and jarsigner. KeyStore Explorer presents their functionality, and more, via an intuitive graphical user interface.

Portecle

Portecle is a user-friendly GUI application for creating, managing and examining keystores, keys, certificates, certificate requests, certificate revocation lists and more.

KeyTool

KeyTool is provided with Java Development Kit (JDK) and it is located in the bin directory of JDK installation path. KeyTool is a command-line utility for creating and managing certificate repositories

[path-to-jdk]/bin/keytool

Managing certificate repository with KeyTool

KeyTool command-line utility documentation can be found here. JCEKS store type is used in the following examples. Java default store type is JKS (PKCS12 in Java 9). The storetype argument can be omitted for JKS prior to Java 9.

Available storetype options are: jks, jceks, pkcs11, pkcs12

Adding a CA certificate to a truststore

keytool -import \
    -trustcacerts 
    -storetype jceks \
    -keystore truststore.jceks \
    -file your-ca-file.pem \
    -alias "Your alias name"

Adding a public certificate and private key to a keystore

openssl pkcs12 \
    -noiter \
    -nomaciter \
    -name "host" \
    -export \
    -in host.crt.pem \
    -inkey host.key.pem \
    -out host.bundle.p12

keytool \
    -importkeystore \
    -srckeystore host.bundle.p12 \
    -srcstoretype pkcs12 \
    -srcalias "host" \
    -destkeystore keystore.jceks \
    -deststoretype jceks \
    -destalias "host"

Listing certificates in a truststore or keystore

keytool -list -v -storetype jceks -keystore truststore.jceks

Misc

List all certificates from PEM file with OpenSSL

openssl storeutl -noout -text -certs bundle.pem