Re: JDBC with SSL

On 07/12/11 03:43, Walter Hurry wrote:
> On Tue, 06 Dec 2011 08:45:48 +0800, Craig Ringer wrote:
>
>> On 12/06/2011 02:46 AM, Walter Hurry wrote:
>>> ------------------------------------------------------------- $ java
>>> -Djavax.net.ssl.keyStore=$HOME/.postgresql/clientstore \
>>>         -Djavax.net.ssl.keyStorePassword=changeit \
>>>         -Djavax.net.ssl.keyStoreType="jks" \
>>>
>> I thought you could only use a JECKS store when including private keys?
> Sorry, I'm pretty new to all this. What is a JECKS store? Does it mean I
> have the keyStoreType wrong?

JKS and JECKS are two different key store formats. Keytool understands
both. If my memory serves, JECKS is the encrypted keystore format,
intended for storing private key data. I think you can use JECKS for
both certificate and key data, but you can use JKS only for certificate
data, NOT  for key data.

If you want your trusted certs and your client certs+keys in the same
store, use a JECKS store by passing the "-storetype JECKS" argument to
keytool when creating the store and importing a cert into it. I have the
niggling memory that if you use the JKS store (default) then keytool
imports the certificate from your input pkcs#2 (or whatever) file and
ignores the key.

--
Craig Ringer