JCH
Java Community | Help. Code. Learn.6mo ago
bambyzas

how to use two separate SSL certs when my app calls different endpoints?

hey guys. i have a spring application. there are two endpoints that are being called in it (for example endpoint1 and endpoint2). and also there are two security certificates (for example cretificate1 for endpoint1 and certificate2 for endpoint2). i have a problem. how to switch between certificates? because once the application is running, the JKS is already loaded. how to approach this issue? thanks in advance.
55 Replies
JavaBot
JavaBot6mo ago
This post has been reserved for your question.
Hey @bambyzas! Please use /close or the Close Post button above when your problem is solved. Please remember to follow the help guidelines. This post will be automatically closed after 300 minutes of inactivity.
TIP: Narrow down your issue to simple and precise questions to maximize the chance that others will reply in here.
Peter Rader
Peter Rader6mo ago
A jks can contain multiple certificates. You could put both certificates into the one keystore and the Endpoints will decide what certificate to use by themselves.
JavaBot
JavaBot6mo ago
💤 Post marked as dormant
This post has been inactive for over 300 minutes, thus, it has been archived. If your question was not answered yet, feel free to re-open this post or create a new one. In case your post is not getting any attention, you can try to use /help ping. Warning: abusing this will result in moderative actions taken against you.
bambyzas
bambyzasOP6mo ago
really? i had an idea about being able to load both certificates into the keystore and reference the one i need at any given time with an alias shouldnt i be using SSL bundles?
Peter Rader
Peter Rader6mo ago
Have you installed the KeyStore Explorer? It is a very nice tool.
bambyzas
bambyzasOP6mo ago
sure, i have it i have set up my jks with two certs long time ago so this part is done but i dont know what to do next
Peter Rader
Peter Rader6mo ago
Start the app and try to use the endpoints. Are there any exceptions?
bambyzas
bambyzasOP6mo ago
app starts fine but wait there for a minute. how is Spring gonna decide which certificate to use for which endpoint? i just want to understand
Peter Rader
Peter Rader6mo ago
Is it a incomming connection to your app? Is it a outgoing connection from your app?
bambyzas
bambyzasOP6mo ago
um, idk tbh. my app is running, and then it will be making calls to the 3rd party endpoints. so as i understand its outgoing connection
Peter Rader
Peter Rader6mo ago
ok, then it is an outgoing connection from your app. Well we have 3 phases. 1. Handshake 2. Certificate check 3. Key Exchange. Here is a good tutorial: https://youtu.be/j9QmMEWmcfo?t=194 In stage 3 the keys decide what certificates are used for data-transfer. In phase 1 the TLS asks what chiphres should be used, what encoding algorithm should be used and what blocksize should be used for data-transfer and key-interchange. In phase 2 the endpoint guarantees to your app that he is authentic. In phase 3 your app send the signatures of all certificates your app knows, the endpoint then report what signature matches best, then your app use the according certificate. Then you have a TLS session (aka ssl-session). btw: in the video your app is the "client" and the endpoint is the "server".
bambyzas
bambyzasOP6mo ago
In phase 3 your app send the signatures of all certificates your app knows, the endpoint then report what signature matches best, then your app use the according certificate. okay, but if i have completely different endpoints with different hosts? like facebook.com/endpoint1 and google.com/endpoint2?
Unknown User
Unknown User6mo ago
Message Not Public
Sign In & Join Server To View
bambyzas
bambyzasOP6mo ago
but there are two completely separate targets with separate hostnames. how does the target know which cert to choose? it will just blindly check trustedCertEntry?
Unknown User
Unknown User6mo ago
Message Not Public
Sign In & Join Server To View
bambyzas
bambyzasOP6mo ago
wait. so i can just dump all my certs into one jks, and i can just call two completely different apis and everything will be fine?
Unknown User
Unknown User6mo ago
Message Not Public
Sign In & Join Server To View
bambyzas
bambyzasOP6mo ago
😦
No description
Unknown User
Unknown User6mo ago
Message Not Public
Sign In & Join Server To View
bambyzas
bambyzasOP6mo ago
i dont have such env var
Unknown User
Unknown User6mo ago
Message Not Public
Sign In & Join Server To View
bambyzas
bambyzasOP6mo ago
can you explain this? i dont understand how to read it and why is it a match like u said?
Unknown User
Unknown User6mo ago
Message Not Public
Sign In & Join Server To View
bambyzas
bambyzasOP6mo ago
and why is it a match like u said?
Unknown User
Unknown User6mo ago
Message Not Public
Sign In & Join Server To View
bambyzas
bambyzasOP6mo ago
but you are sending one certificate here
Unknown User
Unknown User6mo ago
Message Not Public
Sign In & Join Server To View
bambyzas
bambyzasOP6mo ago
ok
Unknown User
Unknown User6mo ago
Message Not Public
Sign In & Join Server To View
bambyzas
bambyzasOP6mo ago
but here i cant see trustedCertEntry field that u mentioned
Unknown User
Unknown User6mo ago
Message Not Public
Sign In & Join Server To View
bambyzas
bambyzasOP6mo ago
but wait. java app isnt sending jks its sending one cert to the api
Unknown User
Unknown User6mo ago
Message Not Public
Sign In & Join Server To View
bambyzas
bambyzasOP6mo ago
um, yes
Unknown User
Unknown User6mo ago
Message Not Public
Sign In & Join Server To View
bambyzas
bambyzasOP6mo ago
yes. i never said such thing as trust store
Unknown User
Unknown User6mo ago
Message Not Public
Sign In & Join Server To View
bambyzas
bambyzasOP6mo ago
yes
Unknown User
Unknown User6mo ago
Message Not Public
Sign In & Join Server To View
bambyzas
bambyzasOP6mo ago
oh, now it makes sense
Unknown User
Unknown User6mo ago
Message Not Public
Sign In & Join Server To View
bambyzas
bambyzasOP6mo ago
okay. but what would happen if my api provider changes root cert?
Unknown User
Unknown User6mo ago
Message Not Public
Sign In & Join Server To View
bambyzas
bambyzasOP6mo ago
no, i mean root certificate in general you know, companies sometimes change their root certs. thats what i meant
Unknown User
Unknown User6mo ago
Message Not Public
Sign In & Join Server To View
bambyzas
bambyzasOP6mo ago
current root cert is CN DigiCert Global Root CA. but soon it will be changed to digicert global g2 tls rsa sha256 2020 ca1. so the signer (like u said) will not remain unchanged
Unknown User
Unknown User6mo ago
Message Not Public
Sign In & Join Server To View
bambyzas
bambyzasOP6mo ago
idk if signer changes. as i understand it remains the same DigiCert Globalb?
Unknown User
Unknown User6mo ago
Message Not Public
Sign In & Join Server To View
bambyzas
bambyzasOP6mo ago
can you provide me some info/resources on that? bc i tried googling and couldnt find any info 😦
Unknown User
Unknown User6mo ago
Message Not Public
Sign In & Join Server To View
bambyzas
bambyzasOP6mo ago
hi
Unknown User
Unknown User6mo ago
Message Not Public
Sign In & Join Server To View
Peter Rader
Peter Rader6mo ago
I was bizzy but I see @imp_o_rt took it just right. Thanks.
JavaBot
JavaBot6mo ago
💤 Post marked as dormant
This post has been inactive for over 300 minutes, thus, it has been archived. If your question was not answered yet, feel free to re-open this post or create a new one. In case your post is not getting any attention, you can try to use /help ping. Warning: abusing this will result in moderative actions taken against you.
Want results from more Discord servers?
Add your server