Just as the JKS keystore can be used to provide the key material for a key manager provider, it can also be used to provide information that can used by trust manager providers. In general, using a JKS file as a trust store is similar to using it as a keystore. However, because private key information is not accessed when the file is used as a trust store, there is generally no need for a PIN when accessing its contents.
When the JKS trust manager provider determines whether to trust a given peer certificate chain, it considers two factors:
Is the peer certificate within the validity period?
Is any certificate in the chain contained in the trust store?
If the peer certificate is not within the validity period or none of the certificates in the peer certificate chain are contained in the trust store, the JKS trust manager rejects that peer certificate.
Use the keytool -import utility to import certificates into a JKS trust store. The -import option uses these arguments:
-alias alias. Specifies the name to give to the certificate in the trust store. Give each certificate a unique name, although the nickname is primarily for managing the certificates in the trust store and has no impact on whether a certificate is trusted.
-file path. Specifies the path to the file containing the certificate to import. The file can be in either DER format or in base64-encoded ASCII format, as described in RFC 1421 .
-keystore path. Specifies the path to the file used as the JKS trust store. This path is typically config/truststore.
-storetype type. Specifies the format of the trust store file. For the JKS trust manager, this must be JKS.
-storepass password. Specifies the password used to protect the contents of the trust store. If the trust store file does not exist, this value is the password to assign to the trust store, and must be used for future interaction with the trust store. If this option is not provided, the password is interactively requested from the user.
The following command provides an example of importing a certificate into a JKS trust store. If the trust store does not exist, this command creates the trust store before importing the certificate.
$ keytool -import -alias server-cert -file /tmp/cert.txt \ -keystore config/truststore -storetype JKS -storepass password
Sun OpenDS Standard Edition provides a template JKS trust manager provider. Use dsconfig to configure the following properties of the JKS trust manager provider:
enabled. Indicates whether the JKS trust manager provider is enabled. The JKS trust manager provider is not available for use by other server components unless the value of this property is true.
trust-store-file. The path to the trust store file, which is typically config/truststore, although an alternate file can be used if needed. The value of this property can be either an absolute path or a path that is relative to the install-dir.
trust-store-type. The format of the trust store. For the JKS trust store provider, the value of this property is JKS.
The following example uses dsconfig interactive mode to configure the JKS trust manager provider:
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -X \ set-trust-manager-provider-prop --provider-name "JKS" --advanced
For a list of the configurable properties, see the File Based Trust Manager Provider Configuration.