mTLS

The client and the server interaction, sequence diagram -

Configuring Keystores (JKS) and Truststores for mTLS in Java

1. What Are Keystore and Truststore?

Keystore (JKS): Stores private keys and public certificates.
Truststore: Stores trusted CA certificates.

Component	Purpose	Contains
Keystore (JKS)	Stores private keys and public certificates	Private key + Public Certificate
Truststore	Stores trusted CA certificates	CA Certificates + Trusted Public Certificates

2. Generating Keystore and Truststore

Step 1: Generate Server Keystore (JKS)

keytool -genkeypair -alias server -keyalg RSA -keysize 2048 \
    -dname "CN=server, OU=IT, O=Company, L=City, ST=State, C=IN" \
    -keystore server-keystore.jks -storepass changeit -validity 365

Step 2: Export Server Certificate

keytool -exportcert -alias server -keystore server-keystore.jks \
    -file server-cert.cer -storepass changeit

Step 3: Create Server Truststore

keytool -importcert -alias client -file client-cert.cer \
    -keystore server-truststore.jks -storepass changeit

Step 4: Generate Client Keystore (JKS)

keytool -genkeypair -alias client -keyalg RSA -keysize 2048 \
    -dname "CN=client, OU=IT, O=Company, L=City, ST=State, C=IN" \
    -keystore client-keystore.jks -storepass changeit -validity 365

Step 5: Export Client Certificate

keytool -exportcert -alias client -keystore client-keystore.jks \
    -file client-cert.cer -storepass changeit

Step 6: Create Client Truststore

keytool -importcert -alias server -file server-cert.cer \
    -keystore client-truststore.jks -storepass changeit

3. Configure Java Application for mTLS

Server Configuration (Spring Boot)

server.ssl.key-store=classpath:server-keystore.jks
server.ssl.key-store-password=changeit
server.ssl.key-alias=server
server.ssl.trust-store=classpath:server-truststore.jks
server.ssl.trust-store-password=changeit
server.ssl.client-auth=need

Client Configuration (Java HTTP Client)

SSLContext sslContext = SSLContext.getInstance("TLS");

// Load Client Keystore
KeyStore keyStore = KeyStore.getInstance("JKS");
try (FileInputStream fis = new FileInputStream("client-keystore.jks")) {
    keyStore.load(fis, "changeit".toCharArray());
}
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(keyStore, "changeit".toCharArray());

// Load Truststore
KeyStore trustStore = KeyStore.getInstance("JKS");
try (FileInputStream fis = new FileInputStream("client-truststore.jks")) {
    trustStore.load(fis, "changeit".toCharArray());
}
TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
tmf.init(trustStore);

sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), new SecureRandom());

HttpClient client = HttpClient.newBuilder()
    .sslContext(sslContext)
    .build();

4. Summary

Step	Server	Client
1. Generate Keystore	server-keystore.jks	client-keystore.jks
2. Export Certificate	server-cert.cer	client-cert.cer
3. Create Truststore	server-truststore.jks	client-truststore.jks
4. Configure Application	Keystore & Truststore setup	Keystore & Truststore setup

5. Key Takeaways

Keystore stores private keys and certificates.
Truststore stores trusted CA certificates.
Certificates must be exchanged once manually but used automatically.
Java applications must be configured correctly with Keystore & Truststore.

Cheat Sheet For Developers

Search This Blog

mTLS

Configuring Keystores (JKS) and Truststores for mTLS in Java

1. What Are Keystore and Truststore?

2. Generating Keystore and Truststore

Step 1: Generate Server Keystore (JKS)

Step 2: Export Server Certificate

Step 3: Create Server Truststore

Step 4: Generate Client Keystore (JKS)

Step 5: Export Client Certificate

Step 6: Create Client Truststore

3. Configure Java Application for mTLS

Server Configuration (Spring Boot)

Client Configuration (Java HTTP Client)

4. Summary

5. Key Takeaways

Labels

Comments

Post a Comment

Popular posts from this blog

Hexagonal Architecture (Ports & Adapters Pattern)

Recursion & Choice

Frameworks