/
Java Keystore & Truststore - keytool binary

Java Keystore & Truststore - keytool binary

Oct 03, 2021

Keystore vs Truststore - Similarities

Usually, the keystore and truststore:

  • are used when a Java application needs to communicate over SSL/TLS
  • are password-protected files that sit on the same file system as our running application. The default format used for these files is JKS until Java 8. Since Java 9, though, the default keystore format is PKCS12. The biggest difference between JKS and PKCS12 is that JKS is a format specific to Java, while PKCS12 is a standardized and language-neutral way of storing encrypted private keys and certificates

Keystore vs Truststore - Differences

Keystore
  • typically holds onto certificates that identify us
  • contains private keys, and the certificates with their corresponding public keys
  • is used from KeyManager deciding which authentication credentials should be sent to the remote host for authentication during SSL handshake
  • In a SSL/TLS handshake the purpose of keyStore is to provide credential
Truststore
  • holds onto certificates that identify others
  • contains public certificates from other parties that you expect to communicate with, or from Certificate Authorities that you trust to identify other parties
  • is used by TrustManager to determine whether remote connection should be trusted
  • In a SSL/TLS handshake the purpose of trustStore is to verify credentials

Keystore vs Truststore - SLL/TLS Handshake

Let's say we have a client that wants to communicate with a server over SSL/TLS

The server will look up the associated key from its keystore and present the public key and certificate to the client.

The client, then looks up the associated certificate in our truststore. If the certificate or Certificate Authorities presented by the server is not in our truststore, we’ll get an SSLHandshakeException and the connection won’t be set up successfully.

Interacting With Keystore and/or Truststore

We can interact with the keystore and/or truststore with either:

Default Keystore and Truststore

Setting Keystore and/or Truststore to be used in Java App

Subpages

Code Examples