0

acme gives you the whole cert chain as List<X509Certificate>.

How do I create the SSLEngine from that cert chain?

(I would like ideally to skip the whole keystore thing or populate a keystore dynamically to be read from at runtime).

EDIT: I have the following code but

  1. not sure what alias should be filled in with
  2. not sure why I need a password
  3. not sure if I should use the variable defaultType
  4. Is JKS ok for a 509Cert

  5. do I want "TLSv1.2"

    String defaultType = KeyStore.getDefaultType();

KeyStore ks = KeyStore.getInstance("JKS");

ks.setCertificateEntry(alias, cert);

SSLContext sslContext = SSLContext.getInstance("TLSv1.2");

//****************Server side specific*********************
// KeyManager's decide which key material to use.
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(ks, passphrase);
sslContext.init(kmf.getKeyManagers(), null, null);      
//****************Server side specific*********************

SSLEngine engine = sslContext.createSSLEngine();
engine.setUseClientMode(false);

return engine;
Dean Hiller
  • 19,235
  • 25
  • 129
  • 212
  • Your question isn't clear. Are you acting as a server (you need to protect the secrecy of a private key) or a client (you need to protect the integrity of a trusted certificate)? Do you want a secure TLS connection, or are you trying to work around the restrictions of a security transport that's not really necessary? – erickson Jul 19 '18 at 17:53
  • @erickson ah, sorry, This is for a webserver that I am implementing a wizard for and I am supposed to create the SSLEngine via a factory method. I have the whole cert chain and my end cert as well. trying to create a Keystore in memory at this point from an X509Cert. – Dean Hiller Jul 19 '18 at 18:46
  • Still not totally clear but it sounds like you are writing a wizard to ease the setup of a web server. If that's the case, you need a *private* key. Where is that going to be stored between server restarts? – erickson Jul 19 '18 at 18:49
  • @erickson that is stored in a secure database as once the wizard sets it up, all servers are immediately active with the new cert without any logic since they all look up on the database every new request until a website has something other than the self signed cert. – Dean Hiller Jul 19 '18 at 19:11
  • @erickson I edited a bit to see if that helps? – Dean Hiller Jul 19 '18 at 19:13
  • oh and I have a private key too! and a CSR. I have a key pair basically that I can read in as well. – Dean Hiller Jul 19 '18 at 19:14
  • I also have the entire cert chain since letsencrypt returns that...does that help here as well? – Dean Hiller Jul 19 '18 at 19:17

1 Answers1

3

You don't. You create:

  1. An SSLContext
  2. A KeyStore, which you load with your certificate chain.
  3. A TrustManager, which you initialize with (2).
  4. A TrustManagerFactory.

You then initialize your SSLContext with the above, then you create an SSLEngine from the `SSLContext.

However the SSLEngine is not for the faint-hearted, and if you don't already know all the above and a good deal more you should really walk before you run by using SSLSocket and SSLServerSocket, which you create via the appopriate factories obtains from the SSLContext.

user207421
  • 305,947
  • 44
  • 307
  • 483
  • to clarify, I did say skip OR create keystore dynamically. you said 'you don't'. So you can't create a Keystore dynamically in memory? I want to avoid the filesystem. – Dean Hiller Jul 19 '18 at 15:57
  • and since I only need a TrustManagerFactory, I already have working code creating one of those so this will be even easier to plugin then. – Dean Hiller Jul 19 '18 at 15:58
  • 1
    @DeanHiller: The KeyStore class has no methods that involve the filesystem. There are methods that involve InputStreams and OutputStreams, but those can be "in memory" simply by using ByteArrayOutputStream and ByteArrayInputStream. Still, you must have persisted your public and private key somewhere, so why not a file-based KeyStore? – President James K. Polk Jul 22 '18 at 22:34
  • @DeanHiller 'You don't' is in *answer* to the *question,* which was 'how do i create an `SSLEngine` from `List`'? I gave the intermediate steps which are conceptually missing from your question. There is nothing in my answer about file systems. – user207421 Jul 23 '18 at 00:16