Skip to main content

Java SSL truststore and keystore configuration

Our ValueCloud Event Streaming service uses TLS (SSL) to secure the communication between clients and services. Especially in java applications, configuring your truststore and keystore is mandatory for most part to establish a secure connection to our Event Streaming service.

About Keystores and Truststores

  1. Keystore: A Keystore is a repository of security certificates, either authorization certificates or public key certificates, used for instance in SSL encryption. In other words, it's a file that contains a collection of cryptographic keys. The keys in a keystore can be used for a variety of purposes, such as encrypting data or ensuring that data comes from its genuine source. A Keystore is used in the process of creating a connection that's secured by SSL. The Keystore provides the keys necessary for the SSL connection to be established. Specifically, it contains the private and public key pair that will be used by a server during the SSL handshake process.

  2. Truststore: A Truststore, on the other hand, is a repository of certificates from third parties that you are willing to trust. When an SSL connection is being established, the client will compare the certificate presented by the server against the certificates in the Truststore. If the certificate is in the Truststore, then the server is trusted, and the connection can be established. In summary, a Truststore contains certificates from other parties that you expect to communicate with, or from Certificate Authorities (CA) that you trust to identify other parties.

In Java-based systems, these Keystores and Truststores are often .jks (Java KeyStore) files, though they can be in other formats as well (like PKCS12). They are protected by a password in order to maintain the integrity of the stored keys and certificates.

Setup your Keystore and Truststore

  1. Log into our ValueCloud Platform and select your managed Event Streaming Service.

  2. You will find all certificates for your service on the overview page. An example overview page containing your certificates can look like this:

Copy each ca-certificate, client certificate and client key in a corresponding file, e.g. ca.cert, client.cert and client.key

Create keystore and truststore as follows using openssl (remember to repeat the steps accordingly for multiple services - you can have multiple certificates in your keystore and truststore with unique aliases):

  1. Use keytool to create your truststore:

    keytool -import \
     -file ca.cert \
     -alias kafka-service \
     -keystore ssl.truststore.jks
    • You will be first asked to enter a password for your truststore to further protect it.
    • Confirm your certificate with yes when prompted.

  2. Use openssl to create your keystore:

    openssl pkcs12 -export \
     -in client.cert \
     -inkey client.key \
     -name kafka-client \
     -out client.keystore.p12
    • You will be asked to enter a password to further protect your keystore.
note

Even though the PKCS12 format is widely used in most java libraries (which is default since Java 9), it can sometimes be necessary to convert this to a JKS truststore using keytool:

keytool -importkeystore \
-deststorepass <keystore_password> \
-destkeypass <key_password> \
-destkeystore ssl.keystore.jks \
-srckeystore client.keystore.p12 \
-srcstoretype PKCS12 \
-srcstorepass <p12_password> \
-alias kafka-client
Last updated on