Reputation: 4800
Saving private key with certificate in keystore - Android
I have gone through this question but couldn't really figure out why do we need it here. I have created a self-signed SSL certificate and testing it on my Android device. I have stored it in a keystore and use it like
String keyStoreType = KeyStore.getDefaultType();
KeyStore keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(context.getAssets().open("self.jks"), "password".toCharArray());
String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
tmf.init(keyStore);
It works fine i.e. I get correct response from server. My keystore looks like this
Keystore type: BKS
Keystore provider: BC
Your keystore contains 1 entry
Alias name: ca
Creation date: Apr 22, 2017
Entry type: trustedCertEntry
Owner: CN=92.168.10.11,[email protected],O=Self,L=Islamabad,C=PK
Issuer: CN=92.168.10.11,[email protected],O=Self,L=Islamabad,C=PK
Serial number: f2b8e66caa28f0da
Valid from: Tue Apr 18 19:29:45 PKT 2017 until: Wed Apr 18 19:29:45 PKT 2018
Certificate fingerprints:
MD5: 2A:46:42:A8:7B:10:21:19:5F:B0:E2:A8:A1:BF:76:D3
SHA1: 6A:18:AE:C7:4A:46:77:23:63:6B:8F:B8:40:46:49:47:67:30:5A:D5
SHA256: B9:83:1A:D7:92:72:77:C2:88:AE:37:34:B4:70:31:94:C4:4E:03:7E:23:96:63:0C:00:E4:7F:35:B9:67:12:97
Signature algorithm name: SHA256WithRSAEncryption
Version: 1
*******************************************
*******************************************
While the book I am following has keystore like following
Alias name: asynchronous_client
Entry type: PrivateKeyEntry
Certificate[1]:
Owner: C=UK,ST=Birmingham,L=Birmingham,O=Packt Publishing,OU=Packt
Publishing,CN=asynchronous_client
Issuer: C=UK,…,CN=packt
Certificate[2]:
Owner: C=UK,…,CN=packt
Alias name: ca
Entry type: trustedCertEntry
Owner: C=UK,…,CN=packt
Issuer: C=UK,…,CN=packt
They have both private key and certificate. I want to know
Why do they need private key here if everything works fine without it? If we really need it, how will it be used in SSL handshake?
Upvotes: 2
Views: 1852
Answers (1)
Reputation: 3852
Why do they need private key here if everything works fine without it? If we really need it, how will it be used in SSL handshake?
The client doesn't need the server private key to perform an SSL handshake. It's not just unnecessary but also a security issue, because if anyone other than the server has a copy of the key, one can act on behalf of the server, e.g. a man-in-the-middle. A private key should not be with anyone other that its owner.
In this case, you should provide the client only with the server certificate (or a keystore containing it).
Upvotes: 1
Related Questions
- How can I save my keystore securely
- Provide private key and certificate for android app
- Android java updating certificate and private keys in Android KeyStore
- Encrypt data using private certificate inside android keystore
- Adding SSL Certificate to Keystore
- Android - How to store certificate in keystore programmatically?
- Untrusted SSL certificate - Custom keystore issues
- How to store the certificate and private key in the keystore of SSL context?
- Android KeyStore - How to save an RSA PrivateKey
- Android and SSL cert loading