Is it secure to distribute a client / server application with same SSL Key/TrustStore?

Question

I'm working on a client / server application. Client and server connect via NIO and the connection is secured by SSL. I based my architecture on this GitHub Project.

Right now KeyStore and TrustStore (for client and server) are stored as resources to my project and loaded when they are needed during the connection process.

Is this a secure solution?

If I was to publish the application that would mean every copy of client and server would be using the same KeyStore and TrustStore. This would make things very simple. But is it safe?

The alternative solution would be to have the end user manage their certificates themselves which seems overly complicated.

EDIT:

Clarification: Client and server are mutually authenticating. They each have their own private key.

Answer 1

It's OK to use the same key for all clients, as long as you enforce ECDHE or DHE (perfect forward secrecy). In that case the key is only used to prove identity of the client, while a new, ephemeral key is used for communication. Otherwise clients are able to sniff and decrypt each others traffic.

And of course one key for all clients means if a client's key is compromised, you need to issue a new key and distribute to all the clients.

Answer 2

Using the same key for server and client means that the clients will be able to impersonate the server. In most cases where TLS is used, this is usually undesirable. It only makes sense when you fully control both server and client side.

If you're going to use the same certificate for client and server, you're essentially not really benefitting from asymmetric cryptography. Your system may be much simpler if you just use symmetric key, like with TLS-PSK.