Can I create a Java trust store without a password using keytool?

About

Asked 6/7, 2016 at 13:20 Answered 6/7, 2016 at 13:31

I want to connect to a TLS server with a self-signed certificate, so I need a custom trust store. keytool seems to absolutely require a password in order to import the certificate, but I really don't need to password-protect the trust store. Using the standard password "changeit" will work, but it I'd prefer to have no password at all.

Note that this is a "trust store" not a "key store", so there is no secret material in the trust store at all: just the server's certificate, so the client can authenticate that the server is trusted.

Is this possible with keytool? Are there other tools that can remove the password from the trust store? Understanding that authenticating the trust store might actually have its uses, are there any specific reasons why I should not use a trust store without a password?

Arlinda answered 6/7, 2016 at 13:20 Comment(1)

Check this #23629746 You can not create a keystore without password using keytool, but you can do it programmatically – Thermistor 6/7, 2016 at 20:5

-5

I am pretty sure keytool will let you put in a blank password if you create a new trust store, but the problem with not having a password is that an attacker can insert any certificate they want and have it be trusted. This creates malicious opportunities such as a man-in-the-middle attack. Your application assumes it can trust that URL that an attacker has set up, so there's nothing stopping them from re-routing your web service calls for example.

It is definitely best practice to change your key store and trust store passwords in production environments from the default.

Glochidiate answered 6/7, 2016 at 13:31 Comment(4)

My position is that since the trust store password is plainly available in configuration and/or code, then the trust store could easily be tampered-with by an attacker in a privileged position, anyway, so adding the trust store password doesn't really buy any additional security. For example, most *NIX systems have a whole slew of PEM files representing the system's trust store, and they are not protected by anything other than file permissions. Why should my application's trust store be any different? – Arlinda 6/7, 2016 at 13:47

keytool does not allow a blank password, at least not current versions of keytool (Java 1.8 as of this writing). – Arlinda 6/7, 2016 at 21:30

Other tools (and raw Java code) can use blank passwords. Also, you can read a keystore's non-private items (e.g. certificates) without a password, even if there is a password on the keystore itself. You just get a warning from keytool that the keystore's integrity cannot be verified. – Arlinda 20/7, 2016 at 14:7

This is pretty weird, because i can access my keystore just fine using keytool -list without a password, but when i try to import a new file in it requires me to put in a password. I am pretty sure there is no password in this keystore, so i am trying to import blank. – Frum 7/5, 2020 at 3:56

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags