Explain Codes LogoExplain Codes Logo

How can I use different certificates on specific connections?

java
certificate-management
ssl-configuration
key-store
Anton ShumikhinbyAnton Shumikhin·Feb 11, 2025
TLDR

Achieve precise control over TLS configurations in your Java application by leveraging individual SSLContexts for unique HTTPS connections. Each SSLContext should use its own certificate.

SSLContext sslContext = SSLContext.getInstance("TLS");

KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
// Watch for angry NullPointerExceptions here while loading non-existent keystore
keyStore.load(new FileInputStream("keystore.jks"), "password".toCharArray());

KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
// More excitement here possibly with an UnrecoverableKeyException
kmf.init(keyStore, "keypassword".toCharArray());

// Let the magic happen. Be sure to include a secret ingredient: SecureRandom
sslContext.init(kmf.getKeyManagers(), null, new SecureRandom());

SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();
HttpsURLConnection connection = (HttpsURLConnection) new URL("https://custom.domain").openConnection();
// A one liner. Well, kinda.
connection.setSSLSocketFactory(sslSocketFactory);

So, in essence, load your KeyStore with the certificate, pump life into KeyManagerFactory, and let the SSLContext take it from there.

Juggling with multiple certificates

A Java application often has to deal with multiple certificates. Your mission, should you choose to accept, is to handle them gracefully.

Loading certificates - The Bootstrap

To load a certificate into a KeyStore, you can use a CertificateFactory along with a PEM file. It's as easy as swiping right on your favorite dating app.

CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
FileInputStream fis = new FileInputStream("cert.pem"); // Ah, the good old FileInputStream
Certificate certificate = certificateFactory.generateCertificate(fis); // No certificate? Application gets ghosted.

KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType()); // What type? Oh, the DEFAULT one! Silly me.
keyStore.load(null, null); // What are we loading? Surprise me!
keyStore.setCertificateEntry("alias", certificate); // Now you know the 'alias' to the secret base!

TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(keyStore); // And the trust begins...

SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, tmf.getTrustManagers(), new SecureRandom()); // SecureRandom - do we have any other choice?

Handling self-signed certificates - Fly Solo!

In case you're dealing with self-signed certificates, never add them to the JRE's global trust store. Instead, buckle up and manage a custom trust store. You control your destiny!

// Come on! We've done this already, haven't we?

SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, new TrustManager[]{new CustomTrustManager(keyStore)}, new SecureRandom());

Praise be to the CustomTrustManager which selectively decides who to trust.

System properties for custom trust store - Have it your way!

Custom trust store at runtime? Why not! Make your life easier by specifying system properties to define a custom trust store:

System.setProperty("javax.net.ssl.trustStore", "path/to/custom.truststore"); // We take paths, not promises.
System.setProperty("javax.net.ssl.trustStorePassword", "truststorepassword"); // One password to rule them all!

Key and Trust dancing together

Tap into the power of KeyManagerFactory and TrustManagerFactory for a smooth dance of SSL configurations, particularly handy when dealing with both client and server authentication.

Advanced level - Let's turn it up a notch!

Updating trust store on-the-go

In ever-changing environments, it is essential to implement mechanisms that allow trust store reloading without requiring application restarts. Refresh the SSLContext as the trust store changes:

// Incorporate the check-for-updates logic into a method that you can run periodically.
// Update your skills, not just trust stores!

if (trustStoreIsUpdated()) { // Did someone say 'changes'?

    TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
    tmf.init(updatedKeyStore); // Here we go again!

    sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), new SecureRandom()); // Let's take it from the top!
}

Sneaking in certificates with keytool

Harness the keytool utility to import certificates into the Java KeyStore, and let the JDK, not your code, do the heavy lifting:

keytool -import -alias "mycert" -file "certificate.pem" -keystore "keystore.jks" -storepass "password" // Yeah, because keytool is a hammer!

Keeping pace with JRE updates

Keeping up with the JRE updates? Use an automatic merging strategy for your trust store. This ensures you're in sync with the latest trusted CA certificates, in addition to your self-signed or organizational ones.

Certificate loading via command line

Enjoy more flexibility by loading a certificate into a KeyStore directly from a string obtained via terminal commands:

String certString = "..."; // The certificate string obtained from the command line
ByteArrayInputStream bais = new ByteArrayInputStream(certString.getBytes()); // Converting bytes to a certificate. What a time to be alive!
Certificate certificate = certificateFactory.generateCertificate(bais);

Certificate string format - Be precise!

Ensuring the exact structure of the self-signed certificate string is important. Incorrect formatting can lead to unsuccessful imports and failed attempts to connect. So, precision, young Padawan!

Retrieving public key - Get the treasure!

Use openssl to retrieve the public key for a self-signed certificate. Just import it into the JVM key store using the keytool command. You'll get the gold and the girl!

explain-codes / Java / How can I use different certificates on specific connections?
Linked

Java HTTPS Client Certificate Authentication

Problems using Maven and SSL behind proxy

Accept server's self-signed SSL certificate in Java client

How to properly import a selfsigned certificate into Java keystore that is available to all Java applications by default?

How to import a .cer certificate into a java keystore?

Where is the Keytool application?

How to import an existing X.509 certificate and private key in Java keystore to use in SSL?

Juggling with multiple certificatesAdvanced level - Let's turn it up a notch!
Linked

Java HTTPS Client Certificate Authentication

Problems using Maven and SSL behind proxy

Accept server's self-signed SSL certificate in Java client

How to properly import a selfsigned certificate into Java keystore that is available to all Java applications by default?

How to import a .cer certificate into a java keystore?

Where is the Keytool application?

How to import an existing X.509 certificate and private key in Java keystore to use in SSL?