11

I want to connect to a TLS server with a self-signed certificate, so I need a custom trust store. keytool seems to absolutely require a password in order to import the certificate, but I really don't need to password-protect the trust store. Using the standard password "changeit" will work, but it I'd prefer to have no password at all.

Note that this is a "trust store" not a "key store", so there is no secret material in the trust store at all: just the server's certificate, so the client can authenticate that the server is trusted.

Is this possible with keytool? Are there other tools that can remove the password from the trust store? Understanding that authenticating the trust store might actually have its uses, are there any specific reasons why I should not use a trust store without a password?

Christopher Schultz
  • 20,221
  • 9
  • 60
  • 77
  • 1
    Check this http://stackoverflow.com/questions/23629246/is-it-possible-to-create-jks-keystore-file-without-a-password You can not create a keystore without password using keytool, but you can do it programmatically – pedrofb Jul 06 '16 at 20:05

1 Answers1

-4

I am pretty sure keytool will let you put in a blank password if you create a new trust store, but the problem with not having a password is that an attacker can insert any certificate they want and have it be trusted. This creates malicious opportunities such as a man-in-the-middle attack. Your application assumes it can trust that URL that an attacker has set up, so there's nothing stopping them from re-routing your web service calls for example.

It is definitely best practice to change your key store and trust store passwords in production environments from the default.

Alex Beardsley
  • 20,988
  • 15
  • 52
  • 67
  • 2
    My position is that since the trust store password is plainly available in configuration and/or code, then the trust store could easily be tampered-with by an attacker in a privileged position, anyway, so adding the trust store password doesn't really buy any additional security. For example, most *NIX systems have a whole slew of PEM files representing the system's trust store, and they are not protected by anything other than file permissions. Why should my application's trust store be any different? – Christopher Schultz Jul 06 '16 at 13:47
  • 7
    `keytool` does not allow a blank password, at least not current versions of keytool (Java 1.8 as of this writing). – Christopher Schultz Jul 06 '16 at 21:30
  • 1
    Other tools (and raw Java code) *can* use blank passwords. Also, you can read a keystore's non-private items (e.g. certificates) without a password, even if there is a password on the keystore itself. You just get a warning from `keytool` that the keystore's integrity cannot be verified. – Christopher Schultz Jul 20 '16 at 14:07
  • 1
    This is pretty weird, because i can access my keystore just fine using `keytool -list` without a password, but when i try to import a new file in it requires me to put in a password. I am pretty sure there is no password in this keystore, so i am trying to import blank. – gkhnavarro May 07 '20 at 03:56