Can we organize each certificate chain with multiple children in logical folders structure in the Java trustStore
Question
Suppose for SSL/TLS I have 2 rootCA's CA1 and CA2 (both self signed) and each CA has signed and issued 5 end entity certificates each. I have a requirement to store each rootCA and its corresponding 5 children public certificates in Java trustStore in some logical folder structure such that given the parent CA public certificate or alias I would like to retrieve all the corresponding child certificates issued. For Example, given the CA1 alias, I want to retrieve CA1 and only the child certificates issued by CA1 and the same applies to CA2.
I have checked the Java's java.security.KeyStore which provides API to store certificate chain, but it takes in only the chain of trust where one parent and only one child can be added to truststore. We cannot add multiple child certificates at same level to that parent. keytool utility also doesn't provide solution to my requirement.
Is there any way we can store the parent to multi children certificates in logical folder structure in trust stores where I can retrieve all children relevant to particular parent alias?
1 answers
solution1
0 2020-04-22 19:47:27
You cannot store the certificates in a logical order in a java keystore. A java keystore is basically a key-value (alias and entry) storage. The entry can be a certificate or a secret key or a key pair (private key and corresponding certificate chain, which includes public key).
You have to write your own custom logic to achieve your requirements. You can identify if a certificate is signed by a given CA or not by looking at the issuerDN and subjectDN attributes of the certificate. If a certificate is self-signed (like the CA certificate), the issuerDN and subjectDN will be the same. If a certificate was signed by a CA, then the subjectDN of the CA is put in the issuerDN of the signed certificate. This way you can identify the hierarchy of the certificate chain. However, if you are using this approach, you have to loop through all the certificates multiple times in your truststore.
I'm not sure what your use-case is, but if you need to use the truststore for SSL connection to a server, then it is best if you stored all the certificates in the same truststore and not worry about the logical order, and just feed the truststore into the JVM, and it will do the magic of identifying the right certificate to use.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.