I want to connect to a TLS server with a self-signed certificate, so I need a custom trust store. keytool
seems to absolutely require a password in order to import the certificate, but I really don't need to password-protect the trust store. Using the standard password "changeit" will work, but it I'd prefer to have no password at all.
Note that this is a "trust store" not a "key store", so there is no secret material in the trust store at all: just the server's certificate, so the client can authenticate that the server is trusted.
Is this possible with keytool
? Are there other tools that can remove the password from the trust store? Understanding that authenticating the trust store might actually have its uses, are there any specific reasons why I should not use a trust store without a password?
I am pretty sure keytool will let you put in a blank password if you create a new trust store, but the problem with not having a password is that an attacker can insert any certificate they want and have it be trusted. This creates malicious opportunities such as a man-in-the-middle attack. Your application assumes it can trust that URL that an attacker has set up, so there's nothing stopping them from re-routing your web service calls for example.
It is definitely best practice to change your key store and trust store passwords in production environments from the default.