Java: Accepting self-signed certificates

Question

I use the following TrustManager to accept self-signed certificates from my local test server in my Java application:

public class CertificateAcceptor {

    private TrustManager[] createTrustManager() {
        TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() {

            public X509Certificate[] getAcceptedIssuers() {
                return null;
            }

            public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
                // leave blank to trust every client
            }

            public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
                // leave blank to trust every client
            }
        }};
        return trustAllCerts;
    }

I have some security concerns with that, since as far as I know, this accepts just all certificates. So I'm asking myself if there is a way to only accept certificates that are coming from localhost on Port 9443?

Answer 1

Assuming that these are your self-signed certificates and not just any self-signed certificates, it would probably make better sense to create your own certificate authority so you can have valid, signed certificates instead of creating work arounds and losing the benefits of have certificates.

By creating your own CA you can sign your own certificates and then simply import the CA certificate into your Java keystore. Then no more problems with self-signed certs. Plus you have the added benefit of being able to trust the certificate (assuming you take good care of your certificate keys).

Being your own CA is actually much easier than you might think. At least that was the case for me.

Here is a link with some step-by-step instructions. http://sandbox.rulemaker.net/ngps/m2/howto.ca.html