Java and SSL

**Annuate** · 06-17-2012, 08:06 PM

Hi, I am working on a project this summer(as a learning experience) using java and databases. I have the program set up as a client/server model. The client talks to the server which retrieves information from the database and sends it back to the client. I would like to implement a login system, but I would like to do it securely. I would imagine that sending the username + password in a serialized object isn't quite the best form of security for my hypothetical users. I found a tutorial using SSL in java HERE and got it set up and running. Unfortunately I don't see how to make use of this in a application if it were to be distributed to other users. Particularity dealing with the certificate and how it has to be the same for the server and the user? Is there one certificate with the server that is distributed with the client program? or is there a separate certificate for each user? I believe it is the former but I have a question about the password that is provided with the certificate as in the example; Is the password used with the certificate just the public key for the RSA encrytion or is it different per user? Explanation and/or resources explaining would be greatly appreciated. Thanks :)

**TimmerCA** · 06-23-2012, 06:10 PM

Originally Posted by Annuate

Unfortunately I don't see how to make use of this in a application if it were to be distributed to other users. Particularity dealing with the certificate and how it has to be the same for the server and the user?

When you are ready to distribute your application to the real world, you'll need to buy an SSL certificate from a certificate vendor that is recognized by Java's default key store. If you do that, then the clients will accept the server certificate without you needing to distribute your self-signed certificate to your clients.

Another, much more complex, solution is here:

Custom SSL for advanced JSSE developers

(Look at the "Roll your own TrustStore" part)