2 Replies Latest reply on Mar 18, 2007 3:09 AM by Gang Duan

    is it safe to pack keystore file in my application and ship

    Gang Duan Newbie

      guys,

      I have a WebService provided through SSL. Also I am providing my customer a client package that can be easily used to connect to this WebService. In order to make it work, I need to generate and pack the keystore file along with the client package.

      I am no security expert, but just try to make the things easier for my customer. My question is, is it safe to pack the keystore in my client package? If it is not safe, what is the recommended way(s) to do it?

      Thanks,
      g

        • 1. Re: is it safe to pack keystore file in my application and s
          Peter Johnson Master

          I have also been contemplating something similar, but came up with several reasons why this would not be a good idea.

          First, using keytool to generate a certificate is fine for development, test and even perhaps internal use. But if the application will be interacting with users outside of the company then you will want to get a certificate from a valid certificate authority such as VeriSign. That of course costs money, though if you charge for your product you could always include the cost of the certificate in the cost of the product.

          Second, each customer needs its own certificate. That is, you cannot generate a single certificate and use it for every customer. This then becomes a packaging issue - you cannot simply generate a stack of CDs and give one to each customer - each CD has to be custom made.

          Third, the certificate has a public and private key. The more people who handle the private key the more likely it is to be compromised. As a business concerned about maintaining privacy, both of my own information and that of my customers (since violating customer privacy can result in various government-imposed penalties), I would not want anyone else to have access to my private key.

          These are the ones I have thought of so far. My current thought is to offer to generate a certificate using keytool as part of the installation of my product, or allow the customer to provide information about the keystore that the customer has set up (presumably with a certificate from an authority such as VeriSign) and have the installer hook up to that keystore. While this might not be as convenient, it is more secure.