This content has been marked as final. Show 3 replies
Since both are on the client why do you need them encrypted? Even if you did need to encrypt them, your client application would need to be able to decrypt them to use them so the key/password used to decrypt them would need to be available to the client to unencrypted them! You are then back to the same problem - what protects the keys/passwords that protects the SSL passwords?
Unless you are doing mutual authentication, you don't really need to pass the passwords.
If he needs a key store he needs a keystore password. You never need a truststore password unless you want it verified on opening. Passing the password to the client is contradictory. Nobody but the client should know it in the first place. It should be configured at the client.