jssecacerts question

I have a client app that must use SSL to communicate with a dedicated SSL server. I don't yet have a signed certificate (just an untrusted one) installed on the server. To get things to work, I used the genkey command to create a jssecacerts file to place in the ...jre/lib/security directory on the client machine. This tells the client to trust the unsigned certificate and everything works fine.

My question is the following:

Is the presence of the jssecacerts file on the client machine a security risk? For instance, is any private key information included in the jssecacerts file? Or is it all merely identification information that woundn't pose a security risk.

I don't understand exactly what information is contained in the jssecacerts file.

[779 byte] By [Jeff333a] at [2007-10-1 3:39:03]

«« Showing images in a GUI
»» Active Directory authentication

# 1

For your cacerts or jssecacerts file, you typically only want to have trustedCert entries, and not keyEntries.

You'd want to export the certificate for that self-signed cert from your keystore, and store that into your jssecacerts. That cert is public info, and won't hurt anything. You don't want to send out the keystore with your private key to client machines, that's just asking for someone to try to break your private key.

Have a look at the samples in the JDK 1.5 JSSE RefGuide. In the section "Creating a Keystore to Use with JSSE", you'll see the exact steps to do this.

wetmorea at 2007-7-8 22:30:23 >

top of Java-index,Security,Java Secure Socket Extension (JSSE)...

# 2

Thanks,I now have confidence that I followed the correct steps to make a trusted keystore.

Jeff333a at 2007-7-8 22:30:23 >

Security

Java Secure Socket Extension (JSSE)

Java programming resources: FAQs, tutorials, compiler and browser download sites, documentation, books lists, IDEs, etc.

jssecacerts question

Security New Topic

Security Hot Topic

Security

All Classified