One of the problems we have today in using SSL in Java is that our
keystores and truststore are generated at install time and don't seem to
ever really get updated and are hence not kept in synch with the openssl
certificate/keys that we use in C++.
I was asked to devise a way whereby the Java side of things could stay
in synch with the openssl certificates and keys.
Using a set of SSL utilities (not-yet-common-ssl), I've been able to
write a Java application which:
1) scans our ssl directory for the installed openssl private keys and
certificates and then creates appropriate Java keystores for each
private key/certificate pair.
2) scans our ssl/authorities directory for CA certificates and then
creates a Java truststore containing all of the CA Certificates found as
well as all of the Java installation default CA certificates (like
Verisign).
Ideally, I'd like to do this on the fly (utility in sipxcommons) and
keep the Keystores and Truststore in memory so that they could be used
immediately by any sipXecs java component requiring a
Keystore/Truststore. Unfortunately, I haven't been able (not yet) to
determine a way to be able to set the Keystore and Truststore to in
memory objects (of type java.security.KeyStore), thereby ensuring we're
always in synch with the openssl keys/certificates. As a result, I've
code the application to overwrite the existing keystores and truststore
files stored in our ssl directory for use by the java components.
In the interim, while I try a figure out a way to use in memory
keystores and truststore, I'd like to modify the sipXecs startup script
to run this Java application so that at least we can be sure that we are
kept in synch with the openssl keys/certificates.
P.S. Adding new openssl CA Certs or private keys/certificates can easily
be done by dropping them in the appropriate ssl directory and then
restarting. The restart would trigger the regeneration of the keystores
and truststore thereby keeping the Java components in synch.
Any comments/suggestions as an interim solution or even a suggestion on
how to use in memory keystores or truststores are welcome.
Raymond
_______________________________________________
sipx-dev mailing list [email protected]
List Archive: http://list.sipfoundry.org/archive/sipx-dev
Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-dev
sipXecs IP PBX -- http://www.sipfoundry.org/
