Should I use either cacerts or local trustore but not both?
Question
We have a local truststore.jks we use for our app. We pass this to the app using VM Options like so:
-Djavax.net.ssl.trustStore=<<PATH TO TRUSTSOTRE.JKS>>
If we are already using this truststore.jks is there any good reason to import certificates into the cacerts file of our jdk?
Couldn't we just import these certs into out existing truststore.jks?
1 answers
solution1
2 ACCPTED 2020-09-13 20:09:44
There is no right or wrong here, and the decision depend on your application the operation and approach to managing security setup.
Personally I would always prefer to use a custom trust store (as you are already doing), only containing the trust path for the endpoints that are required for your app. This way you would only have to maintain trust for the endpoint(s) you are using.
However, if the app connects to many TLS endpoints using certificates from different CA providers, a trust store based on cacerts could make maintenance easier if/when endpoints changes issuer. In that case I would advise to not change the cacerts file in the JRE, but base a custom trust store file on the cacerts file for use by the application.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.