SSL and cert keystore

How does my Java program know where my keystore containing the certificate is?

Or alternatively: How do I tell my Java program where to look for the keystore?

After specifying the keystore in some way, how to specify the certificate to use for authenticating the server to client?

SSL properties are set at the JVM level via system properties. Meaning you can either set them when you run the program (java -D....) Or you can set them in code by doing System.setProperty.

The specific keys you have to set are below:

> javax.net.ssl.keyStore- Location of > the Java keystore file containing an > application process's own certificate > and private key. On Windows, the > specified pathname must use forward > slashes, /, in place of backslashes. > > javax.net.ssl.keyStorePassword - Password > to access the private key from the > keystore file specified by > javax.net.ssl.keyStore. This password > is used twice: To unlock the keystore > file (store password), and To decrypt > the private key stored in the keystore > (key password). > > javax.net.ssl.trustStore - Location of > the Java keystore file containing the > collection of CA certificates trusted > by this application process (trust > store). On Windows, the specified > pathname must use forward slashes, /, > in place of backslashes, \. > > If a trust store location is not > specified using this property, the > SunJSSE implementation searches for > and uses a keystore file in the > following locations (in order): > >
> 1. $JAVA_HOME/lib/security/jssecacerts > 2. $JAVA_HOME/lib/security/cacerts > > javax.net.ssl.trustStorePassword - > Password to unlock the keystore file > (store password) specified by > javax.net.ssl.trustStore. > > javax.net.ssl.trustStoreType - (Optional) > For Java keystore file format, this > property has the value jks (or JKS). > You do not normally specify this > property, because its default value is > already jks. > > javax.net.debug - To switch > on logging for the SSL/TLS layer, set > this property to ssl.

System.setProperty("javax.net.ssl.trustStore", path_to_your_jks_file);

Just a word of caution. If you are trying to open an existing JKS keystore in Java 9 onwards, you need to make sure you mention the following properties too with value as "JKS":

javax.net.ssl.keyStoreType
javax.net.ssl.trustStoreType

The reason being that the default keystore type as prescribed in java.security file has been changed to pkcs12 from jks from Java 9 onwards.

you can also mention the path at runtime using -D properties as below

-Djavax.net.ssl.trustStore=/home/user/SSL/my-cacerts 
-Djavax.net.ssl.keyStore=/home/user/SSL/server_keystore.jks

In my apache spark application, I used to provide the path of certs and keystore using --conf option and extraJavaoptions in spark-submit as below

--conf 'spark.driver.extraJavaOptions= 
-Djavax.net.ssl.trustStore=/home/user/SSL/my-cacerts 
-Djavax.net.ssl.keyStore=/home/user/SSL/server_keystore.jks' 

First of all, there're two kinds of keystores.

Individual and General

The application will use the one indicated in the startup or the default of the system.

It will be a different folder if JRE or JDK is running, or if you check the personal or the "global" one.

They are encrypted too

In short, the path will be like:

$JAVA_HOME/lib/security/cacerts for the "general one", who has all the CA for the Authorities and is quite important.