Can I create a Java trust store without a password using keytool?

Christopher Schultz picture Christopher Schultz · Jul 6, 2016 · Viewed 10.1k times · Source

I want to connect to a TLS server with a self-signed certificate, so I need a custom trust store. keytool seems to absolutely require a password in order to import the certificate, but I really don't need to password-protect the trust store. Using the standard password "changeit" will work, but it I'd prefer to have no password at all.

Note that this is a "trust store" not a "key store", so there is no secret material in the trust store at all: just the server's certificate, so the client can authenticate that the server is trusted.

Is this possible with keytool? Are there other tools that can remove the password from the trust store? Understanding that authenticating the trust store might actually have its uses, are there any specific reasons why I should not use a trust store without a password?

Answer

Alex Beardsley picture Alex Beardsley · Jul 6, 2016

I am pretty sure keytool will let you put in a blank password if you create a new trust store, but the problem with not having a password is that an attacker can insert any certificate they want and have it be trusted. This creates malicious opportunities such as a man-in-the-middle attack. Your application assumes it can trust that URL that an attacker has set up, so there's nothing stopping them from re-routing your web service calls for example.

It is definitely best practice to change your key store and trust store passwords in production environments from the default.