Login/Register
How to create an empty java trust store?
Asked Answered
Solved javassltruststore
C

4

33

I want to make a https client in java which initially does not have any CA certs to trust. Since I don't want the JVM to use the default cacerts file I should make an empty trust store and point it to the JVM.
How can I make an empty trust store?

Cymbal answered 23/6, 2016 at 14:18 Comment(0)
N
48

Using keytool, create a random key pair:

keytool -genkeypair -alias boguscert -storepass storePassword -keypass secretPassword -keystore emptyStore.keystore -dname "CN=Developer, OU=Department, O=Company, L=City, ST=State, C=CA"

then delete it

keytool -delete -alias boguscert -storepass storePassword -keystore emptyStore.keystore

review its contents:

$ keytool -list -keystore emptyStore.keystore -storepass storePassword
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 0 entries
Nitrate answered 14/2, 2020 at 12:49 Comment(1)
I had to add " -keyalg RSA" to first command.Nectarous
A
13

if someone eventually reaches here again:

  public static void main (String[] args) {
    String storePassword = "storePassword";
    String storeName = "emptyStore.jks";
    String storeType = "jks";
    try (FileOutputStream fileOutputStream = new FileOutputStream(storeName)) {
      KeyStore keystore = KeyStore.getInstance(storeType);
      keystore.load(null, storePassword.toCharArray());
      keystore.store(fileOutputStream, storePassword.toCharArray());
    } catch (CertificateException | NoSuchAlgorithmException | IOException | KeyStoreException e) {
      e.printStackTrace();
  }

then check the content with keytool:

$ keytool -list -keystore emptyStore.jks -storepass storePassword
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 0 entries
Antecedence answered 31/12, 2019 at 10:1 Comment(0)
C
9

One possible solution I found is to import some random certificate into a newly created trust store with keytool import and then delete the imported certificate from it. This leaves you with an empty key/trust store. Unfortunately the JVM is not happy with an empty trust store and throws an exception upon that. So at least one certificate should be present there which could be any invalid or expired one in order to achieve the goal.

Cymbal answered 23/6, 2016 at 14:48 Comment(0)
C
2

You may pass a null argument to KeyStore::load to create an empty keystore. See https://docs.oracle.com/javase/8/docs/api/java/security/KeyStore.html#load-java.io.InputStream-char:A-

Chantal answered 4/11, 2019 at 15:5 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.