[2.1-java] Self generated SSL certificate with different passwords for keystore and certficate

[Amol Gaikwad]

We can use below command from windows prompt to create a self-signed certificate in keystore.

keytool -keystore "serviceKeystore.jks" -storepass sspass -genkey -keyalg RSA -dname "CN=localhost, OU=DSP, O=GE, L=San Ramon, ST=CA, C=US" -alias localhost -keypass skpass

Now there are two passwords specified in above command

a) KeyStore password : This password is used to access the key-store. (As example -storepass sspass)

b) Certificate password : This password is used to access the private key. (As example -keypass skpass)

keytool makes both passwords mandatory.

If we decide to use above generated certificate with Play, we can fire below command in play 2.1.0

 

play

run -Dhttps.port=8443 -Dhttps.keyStore=serviceKeystore.jks -Dhttps.keyStorePassword=sspass

Play uses above keyStorePassword as ‘Key Store password’ and also as ‘Certificate password’.

There is no provision to set the different certificate password.

Is there any way to specify the certificate password (different than keyStorePassword)?

[Amol Gaikwad]

Got the answer from James Roper. Thanks James!

Below are his words:

Interesting. The system properties we provide are modelled off the system properties that the JDK provides for when you instantiate a SSLSocketFactory without passing in an SSLContext. These system properties are documented here:

http://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#Customization

That defines two passwords, a key store password, and a trust store password. The trust store is unrelated to us here. I checked the source code, in sun.security.ssl.SSLContextImpl.DefaultSSLContext.getDefaultKeyManager, the same password (taken from the javax.net.ssl.keyStorePassword system property) is used both as the "storepass" (that is, passed to KeyStore.load()) and the "keypass" (that is, passed to KeyManagerFactory.init()).

I did a bit of research on the difference between these two passwords, and it seems they are a bit of a misfeature, resulting from historical decisions and the requirement to maintain backward compatibility. Both the key store and the keys in the key store get encrypted, but it seems there is no real reason for the passwords to be different, and the fact that the JDK uses the same system property for both seems to confirm this to me.

My preference in Play framework would be to keep things simple, and not complicate our configuration. Using the same naming conventions and following the same behaviour as the JDK system properties does help this, as it means people familiar with one will have no difficulties with the other.

So, do you have any reason to have different passwords here? Could you use the same passwords? It seems to me that using the same password is the normal practice.