I’m writing a Java desktop application that will be available to the public. It will contact backend APIs via HTTPS using Jersey client.
I don’t know anything about using certificates in desktop apps but from what I’ve found out so far I’ll need to create an SSLContext that reads a public certificate from a KeyStore that is protected by a password.
I’m assuming I can distribute the contents of the KeyStore by packaging it in the Jar of my app. But I don’t see how I can securely make the key store password available to the app. I don’t want the users to have to enter it manually.
2
You can generally read public keys without the password. The default cacerts
file comes with the password changeit
but can be read without the password.
If you use a commercial certificate, Java may be able to connect without needing significant setup.