> Docs > Http Client > Client SSL Configuration

Client SSL Configuration

SSL is configured in HttpClientConf by sslContext and sslEngineConf.

Most client applications can use the default SSL configuration without change.

Root CAs

The JVM ships with a set of root CA certificates, stored in a system trust store, typically JAVA-HOME/lib/security/cacerts.

By default, HttpClient uses these root CAs to authenticate server certificates. However, you may want to add additional CAs, or trust some self-signed server certificates. You can specify a different trustStoreFile for sslContext

        SSLContext sslContext = new SslConf()

You may also choose to trust all server certificates, including all self-signed ones, by trustAll()

        SSLContext sslContext = new SslConf()

Client Certificate

To specify a keyStoreFile that stores the client certificate public-private key pair

        SSLContext sslContext = new SslConf()

Using keytool

Some examples of using Java's keytool.

Add CA to trust store

Copy JAVA-HOME/lib/security/cacerts to ./my-ca-certs.jks, list its content

> keytool -list -v -keystore my-ca-certs.jks -storepass changeit

Add localhost.cer, a self-signed server certificate, to the store

> keytool -importcert -alias localhost -file localhost.cer -keystore my-ca-certs.jks -storepass changeit

Create a client certificate

Create a self-signed certificate for "Jane"

> keytool -genkeypair -alias jane -keyalg RSA -validity 10000 -storetype pkcs12 -keystore jane.p12 -storepass password

To export the certificate to jane.cer

> keytool -exportcert -alias jane -file jane.cer -storetype pkcs12 -keystore jane.p12 -storepass password

Note the store type is pkcs12, not jks. To convert pkcs12 to jks

> keytool -importkeystore -srcstoretype pkcs12 -deststoretype jks -srckeystore jane.p12 -srcstorepass password -destkeystore jane.jks