Search code examples
javassltls1.2truststore

Export server trust certificate chain to Truststore under one alias

We got a server certificate chain in .p7b format from our client and we need to export to our client trust store using Java/Scala API

Their cert file contains three certificates: root, intermediate,actual server...

How can we export three of them into our trust-store under same alias ?

Is it actually required to export them under one alias ?

This is what we did so far... 

//load default cacerts first in order to export the server cert
val keystore = KeyStore.getInstance(KeyStore.getDefaultType)
keystore.load(new FileInputStream(cacertsPath), decryptedPass.toCharArray)

val cf = CertificateFactory.getInstance("X.509")
//this is the server cert we are trying to export 
val bais = fullStream(customTrustFile)  
val certs = cf.generateCertificates(bais) -->  this returns a chain of 3 certs

certs.toArray[Certificate](new Array[Certificate](certs.size())).zipWithIndex.foreach {
    case (cert, i) => keystore.setCertificateEntry("api.*.*.site-" + i, cert)

// Save the new keystore contents
keystore.store(new FileOutputStream(cacertsPath),decryptedPass.toCharArray)

If you see, the way we are inserting certs, it uses three aliases with suffix -1 , -2, -3, so we end up inserting three entries into the truststore, not sure if this is the right of inserting cert chain..

  1. Is there a way to insert the cert chain under a single alias ?

  2. How does the client finds the matching server trust ? is it using alias ? Also does the client requires only server root cert ? or it needs all three ?

Thanks

Solution

  • 1.Is there a way to insert the cert chain under a single alias ?

    No, each trusted certificate has one alias

    An alias identifies a unique trusted certificate entry, a private key entry or a secret key entry. A private key entry can also be accompanied by a certificate chain of the corresponding public key.

    2 How does the client finds the matching server trust ? is it using alias ? Also does the client requires only server root cert ? or it needs all three ?

    You only need to import the root certificate into the truststore. The alias is not needed

    The client during a connection will receive the server certificate and the certification chain (without the root). It will try to match the last certificate of the chain, from leaf to upper, with some of the truststore's certificates. This is done verifying that the signature of the certificate corresponds with the public key of the root certificate