Should we point KeyStore and TrustStore to the same .jks file?

Coder_sLaY picture Coder_sLaY · Feb 7, 2014 · Viewed 7.3k times · Source

I am using SSL handshaking to connect to a URL. To do that, i generated a .csr file and got it signed. After signing i created a my.jks file with 3 entries in it

  1. Signed Client Cert
  2. Private Key
  3. CA

I use jetty as server and i have exclusively set the keystore and truststore to the same jks file like this

-Djavax.net.ssl.keyStore=/home/keystore/my.jks
-Djavax.net.ssl.keyStorePassword=changeit
-Djavax.net.ssl.trustStore=/home/keystore/my.jks
-Djavax.net.ssl.trustStorePassword=changeit

It works fine. But is it the right way to do it? I thought the keystore should contain the client certs and private key, and the truststore should contain CA. But when i tried doing this then i get the following error.

"javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"

Please advice on this.

Answer

user207421 picture user207421 · Feb 9, 2014

No. A truststore contains nothing but public data: the public certificates of CAs that you trust. A KeyStore contains a private key and its certificate: your digital identity. They may even be controlled by different people. Don't conflate their functions.