> The only problem with this is, how do you copy an openssl {key|crt} pair
> into a keytool keystore? Importing the crt into a keystore is not a
> problem as long as the crt is in x509 format, but the key poses a
> problem as the x509 format only handles trusted certificates.
When I created SSL certs for a internal webserver, I created my own root
certificate with the openssl tools, installed that in the server and client
trusted stores as a trusted RA, then used that root certificate to generate all
my other keys, which were then treated as trusted. To get new browser clients
to trust this RA cert, I had it available on a link off my home page, the user
simply had to click on the link, they'd get a certificate trust message, and
they click 'always trust', and the browser adds the cert to the root authority
list.
I would have to assume something similar can be done with java, and in fact, am
about to figure it out at work, since we need to do some SSL between a
standalone java application and a tomcat server.