问题
What's the difference between trustCertificateKeyStoreUrl and clientCertificateKeyStoreUrl in MySQL Connector/J? When should I provide one or the other?
I have a client app that connects with AWS RDS using SLL, which one of those should I be using?
回答1:
trustCertificateKeyStoreUrl is for server authentication and clientCertificateKeyStoreUrl is for client authentication. During SSL negotitaion server presents its certificate containing server's public key and a checksum which is digitally signed by third party certificate authority(CA). There is another connection property verifyServerCertificate which is to configure if client should verify server certificate or not. If you want to verify server's certificate for your application during SSL negotiation then you should set verifyServerCertificate to true and provide a truststore path which contains all trusted CAs by client to trustCertificateKeyStoreUrl. If certificate presented by server is digitally signed by the trusted CA by client then verification will succeed otherwise it will fail.
clientCertificateKeyStoreUrl is for client authentication. If client authentication is enabled on server side(You can refer https://dev.mysql.com/doc/refman/8.0/en/create-user.html#create-user-tls article to know how to enable client authentication) then during SSL negotiation, server will request client's certificate. If client certificate is digitally signed by CA which is trusted by server then authentication will succeed.
In short, trustCertificateKeyStoreUrl should be provided when client wants to authenticate server certificate and clientCertificateKeyStoreUrl should be provided when client authentication is enabled on server and server wants to authenticate whether certificate is signed by trusted CAs.
来源:https://stackoverflow.com/questions/48277046/trustcertificatekeystoreurl-vs-clientcertificatekeystoreurl