> Docs > Http Client > Client SSL Configuration
SSL is configured in HttpClientConf by sslContext and sslEngineConf.
Most client applications can use the default SSL configuration without change.
The JVM ships with a set of root CA certificates, stored in a system trust store, typically JAVA-HOME/lib/security/cacerts.
By default, HttpClient uses these root CAs to authenticate server certificates. However, you may want to add additional CAs, or trust some self-signed server certificates. You can specify a different trustStoreFile for sslContext
SSLContext sslContext = new SslConf()
.trustStoreFile("./my-ca-certs.jks")
.createContext();
You may also choose to trust all server certificates, including all self-signed ones, by trustAll()
SSLContext sslContext = new SslConf()
.trustAll()
.createContext();
To specify a keyStoreFile that stores the client certificate public-private key pair
SSLContext sslContext = new SslConf()
.keyStoreType("pkcs12")
.keyStoreFile("./jane.p12")
.keyStorePass(PASSWORD)
.createContext();
Some examples of using Java's keytool.
Copy JAVA-HOME/lib/security/cacerts to ./my-ca-certs.jks, list its content
> keytool -list -v -keystore my-ca-certs.jks -storepass changeit
Add localhost.cer, a self-signed server certificate, to the store
> keytool -importcert -alias localhost -file localhost.cer -keystore my-ca-certs.jks -storepass changeit
Create a self-signed certificate for "Jane"
> keytool -genkeypair -alias jane -keyalg RSA -validity 10000 -storetype pkcs12 -keystore jane.p12 -storepass password
To export the certificate to jane.cer
> keytool -exportcert -alias jane -file jane.cer -storetype pkcs12 -keystore jane.p12 -storepass password
Note the store type is pkcs12, not jks. To convert pkcs12 to jks
> keytool -importkeystore -srcstoretype pkcs12 -deststoretype jks -srckeystore jane.p12 -srcstorepass password -destkeystore jane.jks