服务器及其密钥库之间的TLS身份验证

Question

Before I go to the main question, I do want to state my understanding on Keystore and TrustStores:

1) Keystore - Details of key (private key) using which I would do my authentication as a server

2) Truststore - The list of root/interm CAs and other signed Certificates from different domains which I trust.

I am trying to establish an inter-server authentication and data exchange mechanism. All my servers has FQDN format as myserverX.mydomain.net where X is the index eg myserver1.mydomain.net . If my understanding on keystore and truststore is correct, when myserver1 is requesting data from myserver2 , it's myserver1 who is client and myserver2 is server.

In this way:

1) myserver1 needs to trust myserver2 so myserver2 public key certificate should be imported into the truststore in `myserver1'.

2) The above will also be true when 'myserver1' is server and myserver2 is client - except now myserver1 public key certificate should be imported into myserver2 truststore.

Am I actually getting things right here? Or is there any fundamental mistake I am making? My intention was to try it out with self-signed certificate, and then, get a proper root CA signed certificate for my servers. But I would be grateful if someone can explain if I am making any wrong assumptions here.

Note - I am going to use Java keytool and JKS-type keystore (with default symmetric key algo and size) and I will use either -certreq and -gencert or -selfcert to generate a self signed certificate for my test.

Answer 1

You have it right but if you use CA-signed certificates the import step is not needed. CAs are already trusted, by definition, and therefore so are the certificates they sign. So your test is pointless.