Managing a Truststore for SPADE

This article explains how to create or update a Java truststore for use with the SPADE application.

Introduction

In order to establish a secure connection between a JBoss server and another server, such as a mail server or another web server, the JBoss server needs acces to the other server's certificate. If that certificate is signed by a common Certificate Authority the CA certificates distributed with Java will probably work. If, on the other hand the certificate is not signed by them, you will need to either create a truststore that contains those certificates or add those certificate to the existing Java truststore in order to the two servers to communicate.

Obtaining a server's Certificate

There are a variety of ways to get the public certificate for a server. The easiest is to ask the server's administrator. The other obvious approach is to connect to the server with an application, such as a web browser or email client, that can capture the server's certificate and output in a suitable format.

Below is an example certificate downloaded from Thwate and stored in the home directory with the file name Thawte Personal Freemail CA.pem.

-----BEGIN CERTIFICATE-----
MIIDPDCCAqWgAwIBAgIQEj3w59oqIkekOIngiu7JZzANBgkqhkiG9w0BAQUFADCB
0TELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJ
Q2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29uc3VsdGluZzEoMCYGA1UECxMf
Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhhd3Rl
IFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1m
cmVlbWFpbEB0aGF3dGUuY29tMB4XDTk2MDEwMTAwMDAwMFoXDTIxMDEwMTIzNTk1
OVowgdExCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNV
BAcTCUNhcGUgVG93bjEaMBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNV
BAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1Ro
YXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJARYccGVyc29u
YWwtZnJlZW1haWxAdGhhd3RlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEA1GnX1LCUZFtx6UfYDFG26nKRsIRefS0Nj3sS34UldSh0OkIsYyeflXtL734Z
hx2G6qPduc6WZBrCFG5ErHzmj+hND3EfQDimAKOHePb5lIZererAXnbr2RSjXW56
fAylS1V/Bhkpf56aJtVquzgkCGqYx7Hao5iR/Xnb5VrEHLkCAwEAAaMTMBEwDwYD
VR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQAemGDU5fJUYLA9GoFkR/db
o9lvwykLp9KpgUn2w22FFChFRAH0cVyVLhQPGivRqWvBX2c9FvFyIK++FsoOMF/J
y6WTLMNnVB5yIoojdmyUHVFSbJ3E4EcC18y/8IB7GG4l3GJh1qb+wR1/2bP9jVxF
EFrGZWSa6yz1A0/WSGL7Lg==
-----END CERTIFICATE-----

Creating the truststore

If you can not modify the default Java truststore, you can create your own truststore and place known certificates in it using the following command.

mkdir ~/server/jboss-as-7.1.1.Final/extras
cd ~/server/jboss-as-7.1.1.Final/extras
keytool -import -alias spade_mail -file ~/Thawte\ Personal\ Freemail\ CA.pem -keystore cacerts

As you are creating the truststore you will be prompted to enter a password (twice) for the truststore which you will need to use in all later transactions and when you set up your JBoss server. After that you will be show the certificate and you should check that it is correct, e.g. by comparing the SHA1 imprints, and you can accept it by entering "yes" at the prompt.


NOTE: If you have created a truststore then it will not contains the default CA certificates for common certificate authorities and you will need to add these yourself if your server needs them.


Updating the default Java truststore

Java has a default truststore, normally located in $JAVA_HOME/jre/lib/security/cacerts, that contains the CA certificates for common certificate authorities. If you have the privileges you can add other server's certificates to it by using the follwing command

cd $JAVA_HOME/jre/lib/security/
keytool -import -file ~/Thawte\ Personal\ Freemail\ CA.pem -keystore cacerts

NOTE: You will need the password for the default truststore for this to work.