I gotta say, as someone who uses Java for the majority of my professional day-to-day work, Java’s keystore and truststore workflow is very annoying. Compare to Go, Rust, etc. where you just point your HTTP server (or what have you) at some PEM files and off you go.
It’s not a huge deal in the grand scheme of things, but it’s frustrating to need to do something special just for Java.
It’s kind of why I settled on “annoying” as my descriptor. I know just enough about it to do what I need and nothing more. So maybe that’s the reason, and it’s a good reason, or maybe there’s also other good reasons. Honestly don’t know.
I’ll say that it feels somewhat pointless on every system I’ve personally used it on. In all cases I’m still generating my private key in PEM format and using filesystem permissions to restrict access. So the PKCS12 / JKS password stuff just becomes another thing to bother with that doesn’t provide any real improvement to security.
Now maybe we should be deleting that PEM once we slurp it into the keystore, and actually setting real keystore passwords sourced from a secure location and only kept in memory, etc. I’d definitely rather not though.
It’s not a huge deal in the grand scheme of things, but it’s frustrating to need to do something special just for Java.
reply