| From: | Craig Ringer <ringerc(at)ringerc(dot)id(dot)au> |
|---|---|
| To: | Walter Hurry <walterhurry(at)lavabit(dot)com> |
| Cc: | pgsql-jdbc(at)postgresql(dot)org |
| Subject: | Re: JDBC with SSL |
| Date: | 2011-12-07 05:06:13 |
| Message-ID: | 4EDEF445.10006@ringerc.id.au |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-jdbc |
On 07/12/11 03:43, Walter Hurry wrote:
> On Tue, 06 Dec 2011 08:45:48 +0800, Craig Ringer wrote:
>
>> On 12/06/2011 02:46 AM, Walter Hurry wrote:
>>> ------------------------------------------------------------- $ java
>>> -Djavax.net.ssl.keyStore=$HOME/.postgresql/clientstore \
>>> -Djavax.net.ssl.keyStorePassword=changeit \
>>> -Djavax.net.ssl.keyStoreType="jks" \
>>>
>> I thought you could only use a JECKS store when including private keys?
> Sorry, I'm pretty new to all this. What is a JECKS store? Does it mean I
> have the keyStoreType wrong?
JKS and JECKS are two different key store formats. Keytool understands
both. If my memory serves, JECKS is the encrypted keystore format,
intended for storing private key data. I think you can use JECKS for
both certificate and key data, but you can use JKS only for certificate
data, NOT for key data.
If you want your trusted certs and your client certs+keys in the same
store, use a JECKS store by passing the "-storetype JECKS" argument to
keytool when creating the store and importing a cert into it. I have the
niggling memory that if you use the JKS store (default) then keytool
imports the certificate from your input pkcs#2 (or whatever) file and
ignores the key.
--
Craig Ringer
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2011-12-07 07:25:00 | Re: test git conversion |
| Previous Message | Maciek Sakrejda | 2011-12-07 04:32:49 | Re: test git conversion |