Login/Register
Add custom SSL certificate to truststore but retain the default cacerts in Java 8+?
Asked Answered
javassltruststore
M

1

10

Is there a way in Java to specify additional truststore(s), but have java default to the cacerts if no matching certificate is found in the specified truststores? I'm looking to be able to create a truststore with some basic certificates that I need in several applications but without having to update the cacerts file for each jre individually.

I realize that I can just extend the cacerts file (ie: copy it and add to it), but I would rather have a central truststore with just my additional certificates.

I did find this question already asked, but it is several years old, and I don't know if Java 7, 8 or 9 has addressed this issue any differently since.

All the documentation I found points to using javax.net.ssl.trustStore and pointing it to my new truststore, but this will then ignore everything in my cacerts.

If I point to my keystore with javax.net.ssl.keyStore, then I can't have an application-specific keystore.

Ideally, I would like to be able to create a list of truststores for java to iterate over.

Does this exist in Java 7+?

Misconstrue answered 24/4, 2017 at 17:43 Comment(4)
@Andreas The question that I linked to (as did you) has an answer that is 5+ years old. I'm specifically asking if J7+ has addressed this issue any differently, or if it is still the old answer that must still be maintained.Misconstrue
Looking forward to see how this goes...Implicit
If you specifically want to know whether something is added in Java 7, 8 or 9, then I think answer is no, I checked what changed in these version and there is no SSL related changes to add fallback truststore.Pricket
The 'domain' keystore type new in j8 (not 7) might help you but AFAICS the only documentation is the javadoc linked there for DomainLoadStoreParametersSeptuagint
E
0

I answered a similar question here: Using a custom truststore in java as well as the default one

It is possible, see below for an example setup with Github - SSLContext-Kickstart library which is maintained by me.

import nl.altindag.sslcontext.SSLFactory;

import javax.net.ssl.SSLContext;
import java.security.cert.X509Certificate;
import java.util.List;

public class App {

    public static void main(String[] args) {
        String trustStorePathOne = ...;
        String trustStorePathTwo = ...;
        char[] password = "password".toCharArray();


        SSLFactory sslFactory = SSLFactory.builder()
                .withDefaultTrustMaterial() // uses JDK trust store
                .withTrustMaterial(trustStorePathOne, password)
                .withTrustMaterial(trustStorePathTwo, password)
                .build();

        SSLContext sslContext = sslFactory.getSslContext();
        List<X509Certificate> trustedCertificates = sslFactory.getTrustedCertificates();
    }

}

Basically what it does is it will create a TrustManager from each TrustStore and it will wrap all the TrustManagers into a delegating TrustManager which will validate the certificate of the counter-party against all the TrustManagers

Evident answered 26/4, 2021 at 12:38 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.