First and major difference between trustStore and keyStore is that trustStore is used by TrustManager to determine whether remote connection should be trusted, keyStore is used from KeyManager deciding which authentication credentials should be sent to the remote host for authentication during SSL handshake.
Another difference is that keyStore theoretically contains private keys required only if you are running a Server in SSL connection or you have enabled client authentication on server side and on the other hand trustStore stores public key or certificates from CA (Certificate Authorities) which are used to trust remote party or SSL connection.
In fact you can store in the same file both private and public keys, given that the the tool to manage those file is the same (keytool), so you could use a single file for both the purposes, but you probably should not.
At least on my Mac OSX the default keyStore is ${user.home}/.keystore
, and the default trustStore is /System/Library/Java/Support/CoreDeploy.bundle/Contents/Home/lib/security/cacerts
.
If you want to override them you should add the JVM parameters
-Djavax.net.ssl.keyStore /path/to/keyStore
or
-Djavax.net.ssl.trustStore /path/to/trustStore
. You might also
need to set the keyStore password in case of
java.security.UnrecoverableKeyException: Password must not be
null
, using the parameter
-Djavax.net.ssl.trustStorePassword=password
or -Djavax.net.ssl.trustStorePassword=password
Main Source:
http://javarevisited.blogspot.co.uk/2012/09/difference-between-truststore-vs-keyStore-Java-SSL.html