I'm working on a client / server application. Client and server connect via NIO and the connection is secured by SSL. I based my architecture on this GitHub Project.
Right now KeyStore and TrustStore (for client and server) are stored as resources to my project and loaded when they are needed during the connection process.
Is this a secure solution?
If I was to publish the application that would mean every copy of client and server would be using the same KeyStore and TrustStore. This would make things very simple. But is it safe?
The alternative solution would be to have the end user manage their certificates themselves which seems overly complicated.
EDIT:
Clarification: Client and server are mutually authenticating. They each have their own private key.
It's OK to use the same key for all clients, as long as you enforce ECDHE or DHE (perfect forward secrecy). In that case the key is only used to prove identity of the client, while a new, ephemeral key is used for communication. Otherwise clients are able to sniff and decrypt each others traffic.
And of course one key for all clients means if a client's key is compromised, you need to issue a new key and distribute to all the clients.