I need to add a trusted cert to the cacerts that come with the JRE, but I do not have control or ownership over my customer's JRE installation. Is there a way to do this through the security APIs other than to assume a file path location for the cacerts file and read it into a custom TrustManager?
2 Answers
I don't recommend setting a trust store globally for the JVM, unless you are running a standalone java application. Typically you can configure the SSLContext with the needed trust material supporting the certificates you need. However, be aware that SSL in Java is one of the more annoying parts, because the smallest configuration error can give you some really strange error messages.
Previously I have had success implementing two-way SSL authentication (public or privately signed certs) using not-yet-commons-ssl, and although the library is a bit old, it is easier to use than raw Java, especially if you have to support multiple JVM versions.
1 Comment
Vadim
Agree. That is what i'd like to said, but I'm typing from phone :-(
You can use your own trust store and define it in JVM -D parameters for SSL. That I always do in exact same corporate environment I have.
2 Comments
CraigM
Hmm.. that actually makes the code much simpler! Should I have any concerns about whether the cacerts file changes in future JRE releases? I suppose we should simply update our copy of the certs file periodically.
Vadim
In general usually nobody uses JRE default key/trust stores. It has almost nothing for actual certificates. And very often there are more than one stores used. I'm talking about app servers or containers like Weblogic, JBoss, Tomcat etc. And applications running there