Java Interview Q&A on SSL and truststore vs keystore?
Q. What do you understand by the terms trusstores and keystores in Java?
A. You generally need a truststore that points to a file containing trusted certificates, no matter whether you are implementing the server or the client side. You may or may not need a keystore. The keystore points to a file containing private key. You need a keystore if
- you are implementing the server side of the protocol, or
- you are implementing the client side and you need to authenticate yourself to the server.
STEP 1:
The first step is to get hold of the certificates. You could export the certificates from Google chrome or Firefox. If you click the "view site" information in Google Chrome, it's possible to save to file any cert in the chain. In Firefox, you could try something like
Click on "I understand the Risks" and then on "Add exception". You will be getting a screen as shown below.
Click on "Get certificate" and then "View". On the 2nd tab, named "details" you will see an export button to export the certificate.
Save the file as shown above to be imported into your truststore as explained below.
STEP 2:
To create a working truststore, it needs to contain the certs to trust, as well as the certs in the parent chain. You can import certificates with the keytool that ships with Java.
Import parent certificate
keytool -importcert -alias myservices -file mydomain.crt -keystore truststore.jks
import another linked certificate
keytool -importcert -alias coreservices -file mydomain2.crt -keystore truststore.jks
Note: When prompted enter a password and answer yes to trust this certificate.
to view the certificates
keytool -list -keystore truststore.jks
STEP 3:
Use the trust store as shown below.
java -Djavax.net.ssl.trustStore=C:\whatever\truststore.jks -Djavax.net.ssl.trustStorePassword=changeit
Q. How do you go about resolving any SSL related installation issues?
A. There are several SSL tools that are available that can help you determine SSL problems and get your servers running SSL properly.
OpenSSL is an open source implementation of the SSL protocol, and by far the most versatile SSL tool.
Q. What is a one-way SSL?
A. One way SSL just means that the server does not validate the identity of the client. The client generates a random key, encrypts it so that only the server can decrypt it, and sends it to the server. The server and client now have a shared secret that can be used to encrypt and validate the communications in both directions.
0 Comments:
Post a Comment
Subscribe to Post Comments [Atom]
<< Home