0

Hope you are doing fine!

My question is on CA trusted certificate list. I have a middle-ware written in Java Spring with Apache Camel, the interface are connecting between different source and target system using web API ( can expect both sync and async ). The communication between source / target are established using 1 / 2 way SSL, for successful communication we are maintaining client certificates in a truststore. Whenever the certificate is expired the communication will fail as expected and to make it work we have to upload the latest CA certs. There are many such integration and every time cert expires we need to do this activity manually for each interface.

Our thought process is to automate this process, whenever certificate is expire the new one will be uploaded. I went through couple of post which talks about list of CA maintained by Mozilla, Microsoft and others but i didn't find any reference or APIs to download this. Could you please help how we can manage certificates easily.

Thanks, KP

KARTHIK PRABHU N
  • 1
  • 2
  • I am sorry what have an expired client certificate to do with the root-CA list provided by Mozilla/MS? Root CAs typically have a life-time of 10 years+ and thus don't need to be updated often. – Robert Jul 12 '21 at 13:03
  • The Java certificate store is available as a `KeyStore` where you can programmatically insert certificates into. Of course, you'd best use a separate key store for this and configure it for TLS specifically. How you then obtain the certificates is up to you. But remember: inherently trusting CA certificates is dangerous practice; you might as well extend the life time of the current certificates. – Maarten Bodewes Jul 12 '21 at 23:35
  • Thanks for the suggestion @MaartenBodewes. Currently I'm referring to Java provided cacerts but that doesn't include all the CAs.One way to update is by programmatically downloading the latest certs from respective provider and update same in cacert file. Currently i didn't find any APIs from the provider to download certs, may be the only way is to download from their web site and update in common cacert file. Since the chances of connecting more diverse source and target system in future, managing dependent certs in a common trust-store via automation will reduce lot of efforts. – KARTHIK PRABHU N Jul 14 '21 at 05:54
  • @MaartenBodewes Yes, i will consider not to trust all the provided CA as this leads to security issue. Thanks for your suggestion. – KARTHIK PRABHU N Jul 14 '21 at 05:55
  • @Robert - Sorry for not being clear... Its not just CA certs, we can expect public certs as well from the provider which normally have 2 to 3 years of expiration. Ideally the provider as to notify us so that we can taken action from our end by updating latest certs in our common trust store. As per Microsoft, by default, the lifetime of a certificate that is issued by a Stand-alone Certificate Authority CA is one year. After one year, the certificate expires and is not trusted for use. https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/change-certificates-expiration-date – KARTHIK PRABHU N Jul 14 '21 at 06:01
  • 1
    @KARTHIKPRABHUN Even provider don't use stand-alone self-signed certificates these days. usually they also operate an own CA you can trust instead of individually trust each certificate. If your provider does not have an CA and uses stand-alone self-signed certificates then they are stupid an incompetent and you should consider changing your provider. – Robert Jul 14 '21 at 07:06
  • @Robert - The certificates are signed by leading providers. i don't think all the CA got long term validity. As you can see in the above Microsoft link, the cert will expire every one or two years that my concern. In this case we need to automate certificate update in case of new one released – KARTHIK PRABHU N Jul 19 '21 at 07:45
  • For server certificates of public servers I would use Let's encrypt. They provide certbot, an automated way to renew certificates. Not sure if they support your server out-of-the-box, but certbot is more or less the current defactor standard for automated server certificate retrival. – Robert Jul 19 '21 at 08:12
  • @Robert - Will check the suggested tool. Thank you ! – KARTHIK PRABHU N Jul 22 '21 at 09:52

0 Answers0