How to keep the truststore of a java application up-to-date?

Question

I am currently working towards enforcing SSL trust for all outward HTTPS communication in my java application, including disallowing self-signed certificates in the hardened mode.

However, I am wondering how and if the SSL Trust is always trustable. Can you help me understand the below details about truststores in Java? The SSL trust solely depends on the contents of our trust store (Trust anchors which we base the trust on)

1. Is the default java certificate store, kept updated automatically ie if a new CA comes up (Unless a Java upgrade package is installed)?
2. Does trusted root CA information in trust stores need a constant update to maintain SSL security?

Answer 1

1. The Java trust store is only updated when you update the JRE. If you want do add new CA certificates you need to do this in your own. In my experience this is not necessary for public CAs if you keep your JRE up to date.
2. No, you do not need to update the information. In the worst case you have a too certificates in the trust store and you cannot connect to a server (which is not a security issue).

Answer 2

1. As far as I know the default java cacert file is updated only by package update/upgrade.

2. Constant update is needed because CA root certificates expire or get revoked and must be removed from cacertfile. On the other side new CA root certificates are issued and must be included. But this update relies on 1.

Digging a bit deeper:

If you are seting up HTTPS on your server side than:

You need a private key and a certificate signed by any official certification authority like Entrust, Baltimore CyperTrust (or create a self-signed one). You have to setup a java keystore containing the private key together with the signed certificate. The certificate itselve has a limited validity and must be renewed before expiration what must be monitored by you. On renewal the CA takes care to use always a CA root certificate which is valid as long as the renewed one.

A client connecting to your server receives on SSL handshake your server certificate and verifies it against it's truststore which in case of default configuration and java resides in jre-xyz/lib/security/cacerts. This file is updated on every java update and you can rely on it's actuality.

If you use additionally certificate based client authentication it's up to you to keep the required client certificates up to date. Usually your mates send you a copy of their certificate on renewal before they expire.

Alternately you can implement only the CA root certificate of your clients. In that case you have less effort to keep the truststore up to date. The backdraw is that you have less opportunities of client verification.

If you are on client side than:

A client in default configuration verifies a server certificate against the cacert file which comes with Java.

Aside the default configuration - in case you will trust only some specific server - you are in charge to setup a truststore and to keep it up to date. This trustsore is equivalend to the one described above for client authentication but contains server's stuff.

And at least, if you need client authentication yo have to set up a client keystore which is equivalent to the above explained server keystore but keeps client's stuff.