Truststore and Keystore Definitions

Question

What s the difference between a keystore and a truststore

User · Answer

First and major difference between trustStore and keyStore is that trustStore is used by TrustManager to determine whether remote connection should be trusted, keyStore is used from KeyManager deciding which authentication credentials should be sent to the remote host for authentication during SSL handshake.
Another difference is that keyStore theoretically contains private keys required only if you are running a Server in SSL connection or you have enabled client authentication on server side and on the other hand trustStore stores public key or certificates from CA (Certificate Authorities) which are used to trust remote party or SSL connection.

In fact you can store in the same file both private and public keys, given that the the tool to manage those file is the same (keytool), so you could use a single file for both the purposes, but you probably should not.
At least on my Mac OSX the default keyStore is ${user.home}/.keystore, and the default trustStore is /System/Library/Java/Support/CoreDeploy.bundle/Contents/Home/lib/security/cacerts.

If you want to override them you should add the JVM parameters -Djavax.net.ssl.keyStore /path/to/keyStore or -Djavax.net.ssl.trustStore /path/to/trustStore. You might also need to set the keyStore password in case of java.security.UnrecoverableKeyException: Password must not be null, using the parameter -Djavax.net.ssl.trustStorePassword=password or -Djavax.net.ssl.trustStorePassword=password

Main Source:

http://javarevisited.blogspot.co.uk/2012/09/difference-between-truststore-vs-keyStore-Java-SSL.html

User · Answer

A keystore contains private keys  and the certificates with their corresponding public keys   A truststore contains certificates from other parties that you expect to communicate with  or from Certificate Authorities that you trust to identify other parties

User · Answer

A keystore contains private keys  You only need this if you are a server  or if the server requires client authentication  A truststore contains CA certificates to trust  If your server   s certificate is signed by a recognized CA  the default truststore that ships with the JRE will already trust it  because it already trusts trustworthy CAs   so you don   t need to build your own  or to add anything to the one from the JRE    Source

User · Answer

Keystore is used to store private key and identity certificates that a specific program should present to both parties  server or client  for verification  Truststore is used to store certificates from Certified Authorities  CA  that verify the certificate presented by the server in SSL connection  This article for reference https   www educative io edpresso keystore-vs-truststore

User · Answer

A keystore contains private keys  and the certificates with their corresponding public keys   A truststore contains certificates from other parties that you expect to communicate with  or from Certificate Authorities that you trust to identify other parties

User · Answer

In a SSL handshake the purpose of trustStore is to verify credentials and the purpose of keyStore is to provide credential    keyStore  keyStore in Java stores private key and certificates corresponding to their public keys and require if you are SSL Server or SSL requires client authentication    TrustStore  TrustStore stores certificates from third party  your Java application communicate or certificates signed by CA certificate authorities like Verisign  Thawte  Geotrust or GoDaddy  which can be used to identify third party    TrustManager  TrustManager determines whether remote connection should be trusted or not i e  whether remote party is who it claims to and KeyManager decides which authentication credentials should be sent to the remote host for authentication during SSL handshake   If you are an SSL Server you will use private key during key exchange algorithm and send certificates corresponding to your public keys to client  this certificate is acquired from keyStore  On SSL client side  if its written in Java  it will use certificates stored in trustStore to verify identity of Server  SSL certificates are most commonly comes as  cer file which is added into keyStore or trustStore by using any key management utility e g  keytool   Source  http   javarevisited blogspot ch

User · Answer

First and major difference between trustStore and keyStore is that trustStore is used by TrustManager to determine whether remote connection should be trusted, keyStore is used from KeyManager deciding which authentication credentials should be sent to the remote host for authentication during SSL handshake.
Another difference is that keyStore theoretically contains private keys required only if you are running a Server in SSL connection or you have enabled client authentication on server side and on the other hand trustStore stores public key or certificates from CA (Certificate Authorities) which are used to trust remote party or SSL connection.

In fact you can store in the same file both private and public keys, given that the the tool to manage those file is the same (keytool), so you could use a single file for both the purposes, but you probably should not.
At least on my Mac OSX the default keyStore is ${user.home}/.keystore, and the default trustStore is /System/Library/Java/Support/CoreDeploy.bundle/Contents/Home/lib/security/cacerts.

If you want to override them you should add the JVM parameters -Djavax.net.ssl.keyStore /path/to/keyStore or -Djavax.net.ssl.trustStore /path/to/trustStore. You might also need to set the keyStore password in case of java.security.UnrecoverableKeyException: Password must not be null, using the parameter -Djavax.net.ssl.trustStorePassword=password or -Djavax.net.ssl.trustStorePassword=password

Main Source:

http://javarevisited.blogspot.co.uk/2012/09/difference-between-truststore-vs-keyStore-Java-SSL.html

User · Answer

A keystore contains private keys  and the certificates with their corresponding public keys   A truststore contains certificates from other parties that you expect to communicate with  or from Certificate Authorities that you trust to identify other parties

User · Answer

In Java  what s the difference between a keystore and a truststore    Here s the description from the Java docs at Java Secure Socket Extension  JSSE  Reference Guide  I don t think it tells you anything different from what others have said  But it does provide the official reference      keystore truststore      A keystore is a database of key material  Key material is used for a variety of purposes  including authentication and data integrity    Various types of keystores are available  including PKCS12 and   Oracle s JKS       Generally speaking  keystore information can be grouped into two categories  key entries and trusted certificate entries  A key entry   consists of an entity s identity and its private key  and can be used   for a variety of cryptographic purposes  In contrast  a trusted   certificate entry contains only a public key in addition to the   entity s identity  Thus  a trusted certificate entry cannot be used   where a private key is required  such as in a   javax net ssl KeyManager  In the JDK implementation of JKS  a keystore   may contain both key entries and trusted certificate entries       A truststore is a keystore that is used when making decisions about what to trust  If you receive data from an entity that you   already trust  and if you can verify that the entity is the one that   it claims to be  then you can assume that the data really came from   that entity       An entry should only be added to a truststore if the user trusts that entity  By either generating a key pair or by importing a   certificate  the user gives trust to that entry  Any entry in the   truststore is considered a trusted entry       It may be useful to have two different keystore files  one containing just your key entries  and the other containing your   trusted certificate entries  including CA certificates  The former   contains private information  whereas the latter does not  Using two   files instead of a single keystore file provides a cleaner separation   of the logical distinction between your own certificates  and   corresponding private keys  and others  certificates  To provide more   protection for your private keys  store them in a keystore with   restricted access  and provide the trusted certificates in a more   publicly accessible keystore if needed

User · Answer

You may also be interested in the write-up from Sun  as part of the standard JSSE documentation   http   docs oracle com javase 8 docs technotes guides security jsse JSSERefGuide html Stores  Typically  the trust store is used to store only public keys  for verification purposes  such as with X 509 authentication  For manageability purposes  it s quite common for admins or developers to simply conflate the two into a single store

User · Answer

A keystore contains private keys  and the certificates with their corresponding public keys   A truststore contains certificates from other parties that you expect to communicate with  or from Certificate Authorities that you trust to identify other parties

User · Answer

In Java  what s the difference between a keystore and a truststore    Here s the description from the Java docs at Java Secure Socket Extension  JSSE  Reference Guide  I don t think it tells you anything different from what others have said  But it does provide the official reference      keystore truststore      A keystore is a database of key material  Key material is used for a variety of purposes  including authentication and data integrity    Various types of keystores are available  including PKCS12 and   Oracle s JKS       Generally speaking  keystore information can be grouped into two categories  key entries and trusted certificate entries  A key entry   consists of an entity s identity and its private key  and can be used   for a variety of cryptographic purposes  In contrast  a trusted   certificate entry contains only a public key in addition to the   entity s identity  Thus  a trusted certificate entry cannot be used   where a private key is required  such as in a   javax net ssl KeyManager  In the JDK implementation of JKS  a keystore   may contain both key entries and trusted certificate entries       A truststore is a keystore that is used when making decisions about what to trust  If you receive data from an entity that you   already trust  and if you can verify that the entity is the one that   it claims to be  then you can assume that the data really came from   that entity       An entry should only be added to a truststore if the user trusts that entity  By either generating a key pair or by importing a   certificate  the user gives trust to that entry  Any entry in the   truststore is considered a trusted entry       It may be useful to have two different keystore files  one containing just your key entries  and the other containing your   trusted certificate entries  including CA certificates  The former   contains private information  whereas the latter does not  Using two   files instead of a single keystore file provides a cleaner separation   of the logical distinction between your own certificates  and   corresponding private keys  and others  certificates  To provide more   protection for your private keys  store them in a keystore with   restricted access  and provide the trusted certificates in a more   publicly accessible keystore if needed

User · Answer

In a SSL handshake the purpose of trustStore is to verify credentials and the purpose of keyStore is to provide credential    keyStore  keyStore in Java stores private key and certificates corresponding to their public keys and require if you are SSL Server or SSL requires client authentication    TrustStore  TrustStore stores certificates from third party  your Java application communicate or certificates signed by CA certificate authorities like Verisign  Thawte  Geotrust or GoDaddy  which can be used to identify third party    TrustManager  TrustManager determines whether remote connection should be trusted or not i e  whether remote party is who it claims to and KeyManager decides which authentication credentials should be sent to the remote host for authentication during SSL handshake   If you are an SSL Server you will use private key during key exchange algorithm and send certificates corresponding to your public keys to client  this certificate is acquired from keyStore  On SSL client side  if its written in Java  it will use certificates stored in trustStore to verify identity of Server  SSL certificates are most commonly comes as  cer file which is added into keyStore or trustStore by using any key management utility e g  keytool   Source  http   javarevisited blogspot ch

User · Answer

You may also be interested in the write-up from Sun  as part of the standard JSSE documentation   http   docs oracle com javase 8 docs technotes guides security jsse JSSERefGuide html Stores  Typically  the trust store is used to store only public keys  for verification purposes  such as with X 509 authentication  For manageability purposes  it s quite common for admins or developers to simply conflate the two into a single store

User · Answer

A keystore contains private keys  You only need this if you are a server  or if the server requires client authentication  A truststore contains CA certificates to trust  If your server   s certificate is signed by a recognized CA  the default truststore that ships with the JRE will already trust it  because it already trusts trustworthy CAs   so you don   t need to build your own  or to add anything to the one from the JRE    Source

User · Answer

Keystore is used to store private key and identity certificates that a specific program should present to both parties  server or client  for verification  Truststore is used to store certificates from Certified Authorities  CA  that verify the certificate presented by the server in SSL connection  This article for reference https   www educative io edpresso keystore-vs-truststore

[keystore] Truststore and Keystore Definitions

Examples related to keystore

Examples related to encryption-asymmetric

Examples related to truststore