Login/Register
truststore vs keystore in layman terms
Asked Answered
javakeystoretruststore
B

1

6

I am trying to understand the difference between truststores and keystores in layman terms. How are they related to cacerts in java? I have gone through lot of threads but still cannot understand when to use a keystore and when to use a truststore.

When I try to make an API call to a web service via https, I keep on getting an SSL certificate issue. The HTTPS service is using a self signed certificate and I imported the certificate to my cacert, still the issue persists. Where do I have to import this server certificate? If the import solves the issues, do I need to import the certificate in other environments when i deploy the application?

Our application uses a JKS file, what is needed of it? When I view the JKS file, i see there are 2 certificates in it. Why do we use it?

For truststore, I see people saying trusting ourself. What are we trusting ourself with? Do the truststore uses any certificates? When should I be using a keystore versus a truststore?

Any help in understanding this would be really helpful to me.

Burks answered 13/1, 2018 at 16:18 Comment(4)
Truststore stores the certificates (public part of a key pair) that you trust. This is used for client certificate authentication - if the client submits a key that is signed by a trusted certificate then they successfully authenticate. A truststore us optional. A keystore stores the key (private part of a key pair) that the server uses to prove it is who it says it is. A keystore is required for SSL.Diction
if i understand i need to store the certificate in keystore when making ssl call, than what is use of cacerts in java. importing the certifcate in cacerts doesnt solve the problem?Burks
This might help to understand: #318941Incongruity
Technically they are the same thing. Logical separation is done to avoid putting private keys with public certificates in the same file. Such truststore can be safely redistributed then, while sharing private key is quite the opposite.Illsorted
I
5

Truststore - a container that holds certificates that should be accepted aka trusted by application. This can be eg self-signed certificate or certificate signed by CA authority that is not on global list CA's. For example, a company can have its own CA to allow to use their own certificates. Adding such CA to your truststore (app or installing it in the system) will validate all other certificates signed by CA.

Keystore - container that holds private keys. This allows application to accept communication initialized using corresponding public key.

In Java, they can be both in JKS format and they are "technically" the same thing. Due to security reasons, you separate those logically into 2 containers.

What it seems that you might not know, is that PKI works in a way that you always have pair of unique public key and private key. Public key is used to ENCRYPT communication while private key is used to DECRYPT it. When client connects via SSL channel, it uses public key to establish key exchange. If the server identity is legit, it will have private key and will be able to proceed with exchange.

Now to your question

Where do I have to import this server certificate? If the import solves the issues, do I need to import the certificate in other environments when i deploy the application?

Server must have private key in order to do a successful SSL handshake. Also it introduces itself with corresponding public key (that is in certificate). If that certificate is signed by world wide trusted CA - nothing has to be done - certificate will be trusted. If it is not (self-signed, private CA) than it must be added to clients trust store to tell the application that this particular certificate should be trusted despite no public authority assurance.

If the import solves the issues, do I need to import the certificate in other environments when i deploy the application?

Every system must be informed that it should trust that particular certificate. If client application is proprietary to you, you can distribute truststore along with it.

For truststore, I see people saying trusting ourself. What are we trusting ourself with?

By adding given certificate to "trust list" - trust store. It literally says, that it is ok to connect to server that introduces itself with that particular certificate (still it has to have private key to authenticate itself)

Do the truststore uses any certificates?

Trust store is just a container.

When should I be using a keystore versus a truststore?

Already answered, but - use trust store to say that connecting using some public key is secure despite fact it is not signed by global CA. Use keystore on server side to allow to do proper handshake.

Illsorted answered 28/12, 2018 at 10:42 Comment(7)
Hi @Illsorted Thank you very much for the clear explanation. I have a follow up question though. What doesn't click for me is that though this : For a successful SSL authentication is it okey that The server has : keystore(meaning private and public key) and no truststore needed. On the other hand, Client needs only truststore(meaning the public certificate of the server) but no keystore. If so, why client doesn't need keystore to authenticate himself to the server? And also why server doesn't need truststore to accept communication from client?Cuckoopint
@AhmetEroğlu those are 2 different scenarios - either server wants to authenticate user, or user wants to be sure of server's identity. As a general rule in side-to-side communication (as an example) - side that want to authenticate itself will use private key for that and side that wants to VERIFY that other side's identity is what certificate says it should be, will use public key.Illsorted
would that mean that for an smtp server ( it will use self signed certificate and will allow to incoming comminications) should have only a keystore and doesn't need anything in truststore. And a client should have the certificate of the server in his truststore and doesn't need any keystore.?Cuckoopint
In theory, this is enough. However, you assume then that you have public key from somewhere, while in practice server anounces itself with some certificate (containing public key) that you will use later on.Illsorted
Okey thank you so much now everything is clear. But what I don't get is this: I have two eclipse java projects. First one is the server, second one is the client. In the server side, I use my own keystore file. On the client side, I use javamail to send an email using starttls to this server. It works on localhost, but on client side i dont import anything with regards to public key of the smtp server but the mail is still sent correctly. How does the client send email without knowing the public cert of the server?Cuckoopint
Like in previous comment, on connection establish phase server anounces itself with some cert data - including public key. Client can trust it or reject it. This is why trust chains exists. You TRUST by default that if some know certificate authority signed that certificate you can trust that it is valid and reflects true identitiy of the other party - which should be validate PHYSICALLY by the CA.Illsorted
And actually this is described in the answer :)Illsorted

© 2022 - 2024 — McMap. All rights reserved.