Where does the CA cert get loaded?

Question

Where does the CA cert get loaded?

Closed this issue 11 years ago · 7 comments

ca-cert.pem needs to be added to a trust store somewhere?

Answer 1 · 2013-04-21T05:55:11.000Z

It needs to be added to every key store with whatever the equivalent of the command in pki/import-ca-cert.sh is.

Answer 2 · 2013-04-21T22:08:02.000Z

See e4fc5e4 for what all needs to actually be in the key store. I tried to export certs as .p12 files and load them that way, since those actually have the private key, but I couldn't get it to work (I didn't try that hard).

We could just use use key stores. keytool comes with Java, and the gen-cert.sh script in makes it trivial to generate CA-signed certs (it now only uses keytool, no longer needs openssl). It would be cool to be able to import PCKS#12 files.

It is possible to add as many aliased key-pairs/certs to a single key store as one wants. We could do that, and still search the key store looking for the cert that has the particular identity desired, rather than having a key store per identity.

Regardless, we're going to have to prompt the user for the key store password (even if we load PCKS12 stores) and for the password of the key itself. We could just configure the former and use the same one everywhere and then only prompt for the latter if that would make it easier to demo.

Answer 3 · 2013-04-21T23:16:43.000Z

According to one poster here, you "cannot import a P12 into a JKS" KeyStore.
http://stackoverflow.com/questions/6994944/connect-to-a-https-site-with-a-given-p12-certificate

Answer 4 · 2013-04-21T23:19:30.000Z

The example code on that answer seems like pretty much what we need to configure an SSLContext, using two KeyStores?

KeyStore clientStore = KeyStore.getInstance("PKCS12");
clientStore.load(new FileInputStream("test.p12"), "testPass".toCharArray());

KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(clientStore, "testPass".toCharArray());
KeyManager[] kms = kmf.getKeyManagers();

KeyStore trustStore = KeyStore.getInstance("JKS");
trustStore.load(new FileInputStream("cacerts"), "changeit".toCharArray());

TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(trustStore);
TrustManager[] tms = tmf.getTrustManagers();

SSLContext sslContext = null;
sslContext = SSLContext.getInstance("TLS");
sslContext.init(kms, tms, new SecureRandom());

HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());
URL url = new URL("https://www.testurl.com");

HttpsURLConnection urlConn = (HttpsURLConnection) url.openConnection();

Answer 5 · 2013-04-22T00:08:31.000Z

I knew the PKCS12 needed to be separate (see the commit I mentioned), but I tried to pull the certs out of the PKCS12 and put them in a JKS store that had the CA certs in it, which didn't seem to work immediately, so I just gave up. Using a separate key store for just the trust manager will be easy, because for some reason PKCS12 stores don't even have the CA certs in them and don't care if you add certs you can't verify.

Answer 6 · 2013-04-22T00:41:36.000Z

Ok, I think 1929a20 gets us most of the way there. I'm going to let you fix the part that loads all .p12 files and then picks the one with a matching CN.

Answer 7 · 2013-04-23T01:02:21.000Z

We circumvented this today by just using keytool to create ca-certs.jks.