Re: JDBC SSL with postgresql

On 3/06/2010 12:08 PM, Jeffrey Baker wrote:
> On Wed, Jun 2, 2010 at 5:46 PM, Jeffrey Baker<jwbaker@gmail.com>  wrote:
>> I was interested in this[1] work on SSL client certs for JDBC, but I
>> see the author stopped working on your project.  I hope the list can
>> give me a quick clue, because i've been banging my head against this
>> all day.
>
> Just to update the list, I did figure this out.  Turns out I hadn't
> imported my private key into the keystore file.  Which, in turn, is a
> ridiculous pain in the butt because keytool can only deal with private
> keys it generated, or those in PKCS#12 files, and in fact only in
> PKCS#12 files protected with passwords.

It's often easier to just point the keyStore directly at a PKCS#12 file
using the javax.net.ssl.trustStoreType=pkcs12 system property.

> Furthermore once the key is
> in the keystore it must also have a password there (keystore password
> as well as key password) or the implementation will refuse to use it!

And both passwords must be the SAME.

> # openssl pkcs12 -export -out client.pkcs12 -in client.cert -inkey client.key
> # keytool -importkeystore -deststorepass changeit -destkeystore
> client.jks -srckeystore client.pkcs12 -srcstorepass changeit
> -srcstoretype PKCS12 -alias 1 -destkeypass changeit

Generally, you are better off using keytool to generate the key and a
certificate request, getting that certificate request signed by the CA,
and importing the reply into your keystore.

--
Craig Ringer