Defining a TrustStore
In scenarios that require TLS-enabled intra-service communication, we need to configure a trustStore. These scenarios include, for instance, LDAP, SAML or OAuth integration.
A trustStore is essentially a keyStore, but where the keyStore is used to store private keys used to identify the server, the trustStore is used to store public keys of trusted Certificate Authorities (CA). The trustStore is used to verify certificates presented to the server when establishing an SSL connection.
Follow the steps below to create a new trustStore, import a certificate and configure Java to use the new trustStore:
- Create a new keyStore called truststore:
keytool -genkey -alias truststore -keyalg RSA -keystore
truststore.jks - Export a certificate from a keyStore:
keytool -export -keystore keystore.jks -alias myalias -file [certname].cer
- Import the certificate into the trustStore:
keytool -import -trustcacerts -alias myalias -file [certname].cer -keystore
truststore.jks
You can also re-use a keyStore as a trustStore in which case the certificate does not need to be exported and imported.
To configure a trustStore for Apache Tomcat you need to edit the JAVA_OPTS environment variable in the setenv script, located in the Tomcat conf folder.
- On Windows, setenv.bat:
set JAVA_OPTS=-Djavax.net.ssl.trustStore="C:/location/to/truststore
/truststore.jks" - On Linux, setenv.sh:
export JAVA_OPTS="$JAVA_OPTS -
Djavax.net.ssl.trustStore='/location/to/truststore/truststore.jks'";
(c) 2013-2024 Altair Engineering Inc. All Rights Reserved.