Can we load multiple Certificates & Keys in a Key Store?
Can we load multiple Certificates & Keys in a Key Store?
Is it always requ开发者_运维问答ired to load only Pairs (i.e. Certificates & Keys together)?
If a Key Store has multiple Certificates and Keys, which one will get selected when Java SSL tries to establish connection as a Server?
Although this depends on the KeyStore type, generally, you can store multiple private keys and certificates in a single store.
Which key and certificate combination is used for a Java-based server will depend on how the application was implemented. A number of applications let you select a given certificate using the alias name. The key and certificate getters in KeyStore take an alias
parameter to make this choice. Usually, when this is not specified in the configuration, the application or framework will use the first suitable one it finds based on the KeyStore.aliases()
enumeration.
Tomcat, for example, uses the keyAlias
attribute in its Connector configuration:
keyAlias: The alias used to for the server certificate in the keystore. If not specified the first key read in the keystore will be used.
Regarding key pairs, some KeyStores (again, depending on the type) can be used to store SecretKey
s (e.g. DES), that is shared keys, as well as public-private key pairs.
You can have a keystore with as many certificates and keys as you like.
If there are multiple certificates in a keystore a client uses as its truststore, all certificates are being looked at until one is found that fits. You can look at the preinstalled certificates, they are in /lib/security/cacerts. It's just a big collection of root CAs' certificates.
Regarding the keys I don't know. I'd reckon the client uses a key that is signed by the same CA as the certificate that is provided by the server and if there are multiple, the first is used. But I can't say that for sure.
精彩评论