Secure Your Sockets with JSSE
Subject:   something unclear
Date:   2001-11-02 06:35:13
From:   pinwu
After reading it carefully, I've got some questions here,

1. keytool has a switch "-selfcert", I don't know why it is not used in this article, see Sun's doc:

To generate a self-signed certificate, use the -selfcert command, as in
keytool -selfcert -alias dukeNew -keypass b92kqmp
-dname "cn=Duke Smith, ou=Purchasing, o=BlueSoft, c=US"

The generated certificate is stored as a single-element certificate chain in the keystore entry identified by the specified alias (in this case "dukeNew"), where it replaces the existing certificate chain.

2. the certificates from trusted CAs can be imported into any keystore, and used by any application, as long as the application uses this keystore. This is accomplished by importing the certificate from a CA using the "{-trustcacerts}" switch, see Sun's doc:

If the -trustcacerts option has been specified, additional certificates are considered for the chain of trust, namely the certificates in a file named "cacerts", which resides in the JDK security properties directory, java.home\lib\security, where java.home is the runtime environment's directory (the jre directory in the SDK or the top-level directory of the Java 2 Runtime Environment). The "cacerts" file represents a system-wide keystore with CA certificates. System administrators can configure and manage that file using keytool, specifying "jks" as the keystore type.