From what I’ve found on the topic, the best practice is to put the private keypair that you will use to serve SSL in the Java ‘identity keystore’. Then all the public certs that you use for trust would go in the java ‘truststore’. So, in theory I could have keystore.jks and truststore.jks and pass those in on the java command line args.
Where is the right location for private keys that you use to authenticate with outside servers/services? For example, suppose my app subscribes to a weather data service and they issue me a private key for authenticating. Would it be best to store that in the keystore.jks file alongside the private key I’m using to serve SSL, or should it go in the truststore.jks file (in other words, just put the cert for serving in keystore and everything else in truststore). Or, should it go in some other location.
The people that manage these certs would like everything in one jks file so they don’t have to keep track of too many moving pieces, so I’m interested in the best practices and what kinds of issues you could run into if you combined everything into one JKS file.