Trust Store vs Key Store - creating with keytool

Question

I understand that the keystore would usually hold private public keys and the trust store only public keys  and represents the list of trusted parties you intend to communicate with   Well  that s my first assumption  so if that s not correct  I probably haven t started very well     I was interested though in understanding how   when you distinguish the stores when using keytool   So  far I ve created a keystore using  keytool -import -alias bob -file bob crt -keystore keystore ks   which creates my keystore ks file  I answer yes to the question do I trust bob but it is unclear to me if this has created a keystore file or a truststore file  I can set up my application to use the file as either   -Djavax net ssl keyStore keystore ks -Djavax net ssl keyStorePassword x -Djavax net ssl trustStore keystore ks -Djavax net ssl trustStorePassword x   and with System setProperty   javax net debug    ssl   set  I can see the certificate under trusted certifications  but not under the keystore section   The particular certificate I m importing has only a public key and I intend to use it to send stuff over an SSL connection to Bob  but perhaps that s best left for another question     Any pointers or clarifications would be much appreciated  Is the output of keytool the same whatever you import and its just convention that says one is a keystore and the other a trust store  What s the relationship when using SSL etc

User · Answer

There is no difference between keystore and truststore files  Both are files in the proprietary JKS file format  The distinction is in the use  To the best of my knowledge  Java will only use the store that is referenced by the -Djavax net ssl trustStore system property to look for certificates to trust when creating SSL connections  Same for keys and -Djavax net ssl keyStore  But in theory it s fine to use one and the same file for trust- and keystores

User · Answer

The terminology is a bit confusing indeed  but both javax net ssl keyStore and javax net ssl trustStore are used to specify which keystores to use  for two different purposes  Keystores come in various formats and are not even necessarily files  see this question   and keytool is just a tool to perform various operations on them  import export list        The javax net ssl keyStore and javax net ssl trustStore parameters are the default parameters used to build KeyManagers and TrustManagers  respectively   then used to build an SSLContext which essentially contains the SSL TLS settings to use when making an SSL TLS connection via an SSLSocketFactory or an SSLEngine  These system properties are just where the default values come from  which is then used by SSLContext getDefault    itself used by SSLSocketFactory getDefault   for example   All of this can be customized via the API in a number of places  if you don t want to use the default values and that specific SSLContexts for a given purpose    The difference between the KeyManager and TrustManager  and thus between javax net ssl keyStore and javax net ssl trustStore  is as follows  quoted from the JSSE ref guide       TrustManager      Determines whether the   remote authentication credentials  and   thus the connection  should be   trusted       KeyManager    Determines which   authentication credentials to send to   the remote host     Other parameters are available and their default values are described in the JSSE ref guide  Note that while there is a default value for the trust store  there isn t one for the key store    Essentially  the keystore in javax net ssl keyStore is meant to contain your private keys and certificates  whereas the javax net ssl trustStore is meant to contain the CA certificates you re willing to trust when a remote party presents its certificate  In some cases  they can be one and the same store  although it s often better practice to use distinct stores  especially when they re file-based

User · Answer

To explain in common usecase purpose or layman way   TrustStore   As the name indicates  its normally used to store the certificates of trusted entities  A process can maintain a store of certificates of all its trusted parties which  it trusts  keyStore   Used to store the server keys  both public and private  along with signed cert   During the SSL handshake   A client tries to access https     And thus  Server responds by providing a SSL certificate  which is stored in its keyStore   Now  the client receives the SSL certificate and verifies it via trustStore  i e the client s trustStore already has pre-defined set of certificates which it trusts    Its like   Can I trust this server   Is this the same server whom I am trying to talk to   No middle man attacks    Once  the client verifies that it is talking to server which it trusts  then SSL communication can happen over a shared secret key    Note   I am not talking here anything about client authentication on server side  If a server wants to do a client authentication too  then the server also maintains a trustStore to verify client  Then it becomes mutual TLS

User · Answer

These are the steps to create a Truststore in your local machine using Keytool  Steps to create truststore for a URL in your local machine   1  Hit the url in the browser using chrome  2  Check for the  i  icon to the left of the url in the chrome and click it  3  Check for certificate option and click it and a Dialog box will open  4  check the  certificate path  tab for the number of certificates available to create the truststore  5  Go the  details  tab - gt  click Copy to File  - gt  Give the path and the name for the certificate you want to create   6  Check if it has parent certificates and follow the point  5    7  After all the certificates are being create open Command Prompt and navigate to the path where you created the certificates   8  provide the below Keytool command to add the certificates and create a truststore   Sample      keytool -import -alias abcdefg -file abcdefg cer -keystore cacerts         where  abcdefg  is the alias name and  abcdefg cer  is the actual certificate name and  cacerts  is the truststore name   9  Provide the keytool command for all the certificates and add them to the trust store       keytool -list -v -keystore cacerts

User · Answer

keystore simply stores private keys  wheras truststore stores public keys  You will want to generate a java certificate for SSL communication  You can use a keygen command in windows  this will probably be the most easy solution

User · Answer

In simplest terms    Keystore is used to store your credential  server or client  while truststore is used to store others credential  Certificates from CA    Keystore is needed when you are setting up server side on SSL  it is used to store server s identity certificate  which server will present to a client on the connection while trust store setup on client side must contain to make the connection work  If you browser to connect to any website over SSL it verifies certificate presented by server against its truststore

User · Answer

Keystore is used by a server to store private keys  and Truststore is used by third party client to store public keys provided by server to access  I have done that in my production application  Below are the steps for generating java certificates for SSL communication    Generate a certificate using keygen command in windows    keytool -genkey -keystore server keystore -alias mycert -keyalg RSA -keysize 2048 -validity 3950   Self certify the certificate    keytool -selfcert -alias mycert -keystore server keystore -validity 3950   Export certificate to folder    keytool -export -alias mycert -keystore server keystore -rfc -file mycert cer   Import Certificate into client Truststore    keytool -importcert -alias mycert -file mycert cer -keystore truststore

[java] Trust Store vs Key Store - creating with keytool

Examples related to java

Examples related to ssl

Examples related to keytool

Examples related to jce