A Java trust store is an instance of KeyStore which only contains certificates. There are various types of KeyStore implementations. For example JCEKS, JKS, PKCS11 implementations are bundled with JDK. Unfortunately none of these implementations are FIPS compliant and you have to use a thirdparty implementation such as BCFKS to be FIPS compliant. You might end up having to configure your JVM with different format files for each environment.
Instead of relying on the native formats we implemented a trust store that is backed by the KeyStore API that allows you to create a trust store using a PEM file. All the pem entries from the supplied file are used for initializing the key store which in turn can be used for initializing TrustManagerFactory.
- This is a read only keystore implementation so all calls to modify entries would fail with runtime exceptions.
- You are not expected to supply a password when initializing the store
- StandardMBeans that expose metadata about the certificates loaded into the trust store for runtime monitoring.
try (InputStream in = new BufferedInputStream(new FileInputStream("src/test/resources/single.pem"))) {
KeyStore store = KeyStore.getInstance();
KeyStore store = KeyStore.getInstance(ReadOnlyPEMTrustStore.NAME, TrustStoreProvider.NAME);
store.load(in, null);
TrustManagerFactory factory = TrustManagerFactory.getInstance("PKIX");
factory.init(store);
}