I'm doing a Java Client-Server system that will manage computers in a room, the scenario is as follows:
- A computer, the server, waits for connections, when an action is taken (Screen Lock) this command is then sent to all connected clients.
- Clients are the ones that are controlled, have the IP of the server, and they connect to the server with this IP, once they are connected, they wait for commands.
By the nature of the program, it should be as safe as possible so only authorized persons can use it.
SSL was then used for communication.
- Using openssl I created a self-signed certificate, converted to pks12, keytool to make the two keystores (or rather, the keystore for the server, and the truststore, with a certificate only, for the clients). >
-
The server has the keystore with the certificate and private key, encrypted using AES / CBC / PKCS5 and the derived 256-bit key using PBKDF2 with 1,000,000 iterations (takes 2 seconds to decrypt). and the password is this site: link (65 bits of entropy)
-
Customers, the truststore with the certificate only.
- When connecting the server, the password must be entered to open the keystore and be able to accept client connections.
My question is: If the client only relies on a certificate, which was received at the installation, the problem of self-signed certificate authentication would theoretically be solved, being as secure as ordinary SSL, based on the trust chain of the CA's? Does the fact that the certificate is Auto Signed spoil encryption in any way, such as by allowing you to obtain the private key from the self-signed public, or something like that?
obs: the client truststore only has the certificate, and does NOT have the private key.
Obs2: Assuming the private key is kept secret, that is, nobody steals the server's keystore and discovers the server's password.