Java keystores provide a convenient mechanism for storing and deploying X.509 certificates and private keys. Fuse Message Broker uses Java keystore files as the standard format for deploying certificates
The Java keystore is a feature of the Java platform Standard Edition
(SE) from Sun. To perform the tasks described in this section, you will need to
install a recent version of the Java Development Kit (JDK) and ensure that the JDK
bin
directory is on your path. See http://java.sun.com/javase/.
Sun’s JDK provides a standard file-based implementation of the keystore. The
instructions in this section presume you are using the standard keystore. If there is any
doubt about the kind of keystore you are configured to use, check the following line in your
java.security
file (located either in
or
JavaInstallDir
/lib/security
):JavaInstallDir
/jre/lib/security
keystore.type=jks
The jks
(or JKS
) keystore type represents the standard
keystore.
Java also allows you to provide a custom implementation of the keystore, by implementing
the java.security.KeystoreSpi
class. For details of how to do this see the
following references:
If you use a custom keystore provider, you should consult the third-party provider documentation for details of how to manage certificates and private keys with this provider.
The keystore repository is protected by a store password, which is defined at the same time the keystore is created. Every time you attempt to access or modify the keystore, you must provide the store password.
![]() | Note |
---|---|
The store password can also be referred to as a keystore password or a truststore password, depending on what kind of entries are stored in the keystore file. The function of the password in both cases is the same: that is, to unlock the keystore file. |
The keystore provides two distinct kinds of entry for storing certificates and private keys, as follows:
Key entries—each key entry contains the following components:
A private key.
An X.509 certificate (can be v1, v2, or v3) containing the public key that matches this entry’s private key.
Optionally, one or more CA certificates that belong to the preceding certificate’s trust chain.
Note The CA certificates belonging to a certificate’s trust chain can be stored either in its key entry or in trusted certificate entries.
In addition, each key entry is tagged by an alias and protected by a key password. To access a particular key entry in the keystore, you must provide both the alias and the key password.
Trusted certificate entries—each trusted certificate entry contains just a single X.509 certificate.
Each trusted certificate entry is tagged by an alias. There is no need to protect the entry with a password, however, because the X.509 certificate contains only a public key.