Do we need to add the verified CA in VM TrustStore when making connection from java?

Question

I am making a call from one application sayApp1 to another application(say App2) authorized by verfied CA like Verisign or Thawte like

String urlStr="https://myApp2/welcome"
HttpsURLConnection conn1 = (HttpsURLConnection) url.openConnection();
conn1.getInputStream()

Do i need to import that certificate issued by App2 somewhere in VM truststore of app1? This is the case when they are on different tomcat server(so different vm).

What about the same scenario if they are on same tomcat server(i mean same vm)?

i know in case of browser it is not required to import the certificate signed by CA's like verisign,thawte etc but what about when making the connection from java?

Edit:-

As you said This will be the same regardless of the server they are installed

It means ever webserver checks the cacerts file that shipped with Java 1.6.0_30 . so if client jvm has those certicates, we dont have to do anything.

This cacerts file check is done only when we are making the url connection from java code. In case of browser it will just check browser truststore.RIGHT?

To move my site to https i followed below step

C:\Program Files\Java\jdk1.6.0_23>keytool -genkey -alias tomcat -keyalg RSA which generated .keystore file Finally i made changes in server.xml and it worked keystoreFile="c:/.keystore" keystorePass="changeit"

After going thru too many material on net i am bit confused about which approach i just followed(did i create my own CA or i just created self signed certificate which needs to be present at client side) ?

Answer 1

Your question is really confusing (this is the least I can say).
You start saying that you need communication with an application that deploys a certificate signed by a trusted CA like Verisign and end up asking what kind of certificate does keytool generated that you used in your Tomcat!

Anyway:

Do i need to import that certificate issued by App2 somewhere in VM truststore of app1? This is the case when they are on different tomcat server(so different vm). What about the same scenario if they are on same tomcat server(i mean same vm)?

This does not matter.If you don't define for your client app a specific truststore then java's default will be used.

If the app2 sends a certificate signed by a trusted issuer like Verisign then you don't have to do anything (as @laz also points out). Since Verisign's certificate should already be present in your java installation cacerts

After going thru too many material on net i am bit confused about which approach i just followed(did i create my own CA or i just created self signed certificate which needs to be present at client side) ?

You created a self-signed certificate (and a private key of course). You will need to import this in your client's truststore and of course use that keystore as your server's keystore.

Answer 2

It depends. The cacerts file that shipped with Java 1.6.0_30 has 76 entries. If the certificate used by the other application was verified by one of the those vendors using one of those certificates, no importing will be necessary. This will be the same regardless of the server they are installed on if the protocol used is HTTPS. Sometimes vendors have new certificates that will require updates to cacerts. This is typically fixed by JVM upgrades. If the public key of the certificate used to verify the other application is not in cacerts then it will need to be imported to establish trust.