I am developing a Java-based application that will run on a remote computer. This app will talk with a REST-API over the internet via HTTPS. I had this working using a truststore in P12 format. Is this the correct way to handout the SSL Cert? This program will be running on other users' computers. Will them having access to the P12 file be unsecure? If so, how could I go about this another way?
I am currently using the below for my client-software (that's on other peoples' computers):
System.setProperty("javax.net.ssl.trustStore", getFileFromResources("certs/newKeystore.p12").getAbsolutePath()); System.setProperty("javax.net.ssl.trustStorePassword", "password123");
I know on my Rest-API server, it shouldn't be a problem because it's not accessible by anyone else. I am using the same P12 file on my rest-api server as well. If I change the P12 file, I should change it on both, correct?
The reason why a trust store exists is because you are trying to create a secure communication to a web server, and you need to trust the server certificate that they offer. So a trust store contains the trust anchors for that to happen: if a valid trust path can be build to a trust anchor in the trust store then the certificate is deemed valid and - after some additional checks of e.g. the server name - the private key can be used by the server to indicate that it is the server named within the server certificate.
Great, so what kind of security needs to be present on your trust store? Well, it is that the trust store is available and unaltered. Having the trust store unavailable will obviously be a big issue. So downloading the trust store every time you need to secure a connection is adding another high availability component to your infrastructure. Maybe you already need one for CRL or OCSP service, but still.
The other thing is that the trust store should not be altered in traffic. That basically means that the connection to your service should be free from attacks. The most logical way to do this is to have it protected by TLS. In that case of course you need a trusted certificate. In the end you cannot operate without trusting something. This is why you either have to trust a server based on the cacerts, or to distribute a certificate with the application.
"it shouldn't be a problem because it's not accessible by anyone else". That's not a requirement. Other people may well access the server, as long as they cannot alter the security (and availability) of the connection or the trust store. Read access to the P12 file wouldn't directly influence the availability or trustworthiness of the trust store. That said, the stricter the security of the service that contains the trust store, the better.
I was kind of afraid that the P12 would not just be a trust store but also a key store containing a private key. Preferably, a private key should not be distributed that way. I didn't see any hint of this happening in your question, so I'll just leave it here for other readers.