客户方的证书？

Question

I have a server application and a client application.

The server uses https, and has a .jks file. Apart from that, I use authentication with login and password.

I wonder if the client side should use a .cert certificate. I thought the client's certificate should match servers certificate, but it seems that I was wrong.

I have some troubles understatding the topic, so please be understanding.

Answer 1

Keystore

A Java KeyStore (JKS) is a repository of security certificates – either authorization certificates or public key certificates – used for instance in SSL encryption.

• In IBM WebSphere Application Server and Oracle Weblogic Server, a file with extension jks serves as keystore.
• The Java Development Kit maintains a CA keystore in folder jre/lib/security/cacerts.

Keystore comes in two flavors:

1. Trust :
A trust store contains certificates that are issued by somebody you trust, like a root certificate from a CA.

2. Identity:

• An identity store contains your own certificates and they are used to authenticate you when you access an external service.
• A trust store does not contain sensitive information, while identity stores contain very sensitive information like private keys.
• Contains a demonstration private key for server. This keystore establishes an identity for the server.

---

I wonder if the client side should use a .cert certificate.

If you mean to connect to a HTTPS service, then you should export the server's SSL certificate and import in your server's keystore, probably you can import in jre/lib/security/cacerts .

Client is only required to have a SSL certificate if it is a 2 way SSL, meaning client is also required to send a SSL certificate to server because server has requested the same.

Why it is required because using SSL handshake server will send its SSL certificate and client will validate this certificate from its trusted list of certificates present in his keystore. If it is not validated then SSL handshake cannot be completed, and hence no communication can be established. So, you must have server's SSL certificate inside your trusted store of certificates.

I thought the client's certificate should match servers certificate, but it seems that I was wrong.

Yes, you are right, SSL certificates of 2 different parties will be different.

Each party who requires a SSL certificate will generate the public-private key pair at their end and will raise a CSR request to a Certificate Authority (CA), who will generate the SSL certificate using the provided key.

---

How to export and import SSL certificates

To export certificate:

If it can be accessed using web then click on HTTPS icon, view certificate and follow export commands.

If it cannot be accessed using web then use openssl to export certificate. Use below command

openssl s_client -connect host:port -key our_private_key.pem -showcerts -cert our_server-signed_cert.pem

To import certificate:

Use command - keytool -import -trustcacerts -file /path/to/ca/ca.pem -alias CA_ALIAS -keystore $JAVA_HOME/jre/lib/security/cacerts

Further reading on export and import:

• Java keytool easy way to add server cert from url/port
• http://www.grim.se/guide/jre-cert
• https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html
• Using openssl to get the certificate from a server