Maksym Maksym - 1 year ago 62
Java Question

Does JSSE use a certificate in a PrivateKeyEntry as a trust anchor?

If a key store containing one or more

is specified as a trust store, will JSSE create a trust anchor from the end-entity certificate in each of those entries?

In other words, is it enough to have a certificate under a
if we have one keystore with both trusted and private entries? Or, must we also add that certificate as a

Answer Source

It doesn't matter where certificate placed either under PrivateKeyEntry or under trustedCertEntry , JVM trusts host from certificate anyway.

Tested locally.

Run local server with https and keystore with only one PrivateKeyEntry.

And run client with code :

public static String getHTML(String urlToRead) throws Exception {
    StringBuilder result = new StringBuilder();
    URL url = new URL(urlToRead);
    HttpURLConnection conn = (HttpURLConnection) url.openConnection();
    BufferedReader rd = new BufferedReader(new InputStreamReader(conn.getInputStream()));
    String line;
    while((line = rd.readLine()) != null) {
    return result.toString();

public static void main(String[] args) throws Exception {
    String testUrl="https://localhost/test";

Without any:

Exception in thread "main" PKIX path building failed: unable to find valid certification path to requested target

With truststore that contains only one PrivateKeyEntry (the same jks file that was used for server as keystore):