Should we point KeyStore and TrustStore to the same .jks file?
I am using SSL handshaking to connect to a URL. To do that, i generated a .csr file and got it signed. After signing i created a my.jks file with 3 entries in it
- Signed Client Cert
- Private Key
- CA
I use jetty as server and i have exclusively set the keystore and truststore to the same jks file like this
-Djavax.net.ssl.keyStore=/home/keystore/my.jks
-Djavax.net.ssl.keyStorePassword=changeit
-Djavax.net.ssl.trustStore=/home/keystore/my.jks
-Djavax.net.ssl.trustStorePassword=changeit
It works fine. But is it the right way to do it? I thought the keystore should contain the client certs and private key, and the truststore should contain CA. But when i tried doing this then i get the following error.
"javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"
Please advice on this.
Answer
No. A truststore contains nothing but public data: the public certificates of CAs that you trust. A KeyStore contains a private key and its certificate: your digital identity. They may even be controlled by different people. Don't conflate their functions.