If a key store containing one or more PrivateKeyEntry is specified as a trust store, will JSSE create a trust anchor from the end-entity certificate in each of those entries?
In other words, is it enough to have a certificate under a PrivateKeyEntry if we have one keystore with both trusted and private entries? Or, must we also add that certificate as a TrustedCertificateEntry?
It doesn't matter where certificate placed either under PrivateKeyEntry or under trustedCertEntry , JVM trusts host from certificate anyway.
Tested locally.
Run local server with https and keystore with only one PrivateKeyEntry.
And run client with code :
public static String getHTML(String urlToRead) throws Exception {
StringBuilder result = new StringBuilder();
URL url = new URL(urlToRead);
HttpURLConnection conn = (HttpURLConnection) url.openConnection();
conn.setRequestMethod("GET");
BufferedReader rd = new BufferedReader(new InputStreamReader(conn.getInputStream()));
String line;
while((line = rd.readLine()) != null) {
result.append(line);
}
rd.close();
return result.toString();
}
public static void main(String[] args) throws Exception {
String testUrl="https://localhost/test";
System.out.println(getHTML(testUrl));
}
Without any:
Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
With truststore that contains only one PrivateKeyEntry (the same jks file that was used for server as keystore):
<!DOCTYPE....</html>