Difference between .keystore file and .jks file

Asked 24/1, 2012 at 11:1 Answered 24/1, 2018 at 23:27

331

I have tried to find the difference between .keystore files and .jks files, yet I could not find it. I know jks is for "Java keystore" and both are a way to store key/value pairs.

Is there any difference or a preference to use one over another?

Plyler answered 24/1, 2012 at 11:1 Comment(0)

265

Ultimately, .keystore and .jks are just file extensions: it's up to you to name your files sensibly.

Some application use a keystore file stored in $HOME/.keystore: it was usually implied that it was JKS file, since JKS was the default keystore type in the Sun/Oracle Java security provider, up to Java 8. Not everyone uses the .jks extension for JKS files, because it was implied as the default. Since Java 9, the default format is PKCS#12 (often with .p12 or pfx extensions), but it's not clear whether all applications have caught up with that change. I'd recommend using the extension, just to remember which type to specify (if you need).

In Java, the word "keystore" can have either of the following meanings, depending on the context:

the API: https://docs.oracle.com/en/java/javase/21/docs/api/java.base/java/security/KeyStore.html
a file (or other mechanism) that can be used to back this API
a keystore as opposed to a truststore, as described here: https://mcmap.net/q/99661/-trust-store-vs-key-store-creating-with-keytool

When talking about the file and storage, this is not really a storage facility for key/value pairs (there are plenty or other formats for this). Rather, it's a container to store cryptographic keys and certificates (I believe some of them can also store passwords). Generally, these files are encrypted and password-protected so as not to let this data available to unauthorized parties.

Java uses its KeyStore class and related API to make use of a keystore (whether it's file based or not). JKS is a Java-specific file format, but the API can also be used with other file types, typically PKCS#12. When you want to load a keystore, you must specify its keystore type. The conventional extensions would be:

.jks for type "JKS",
.p12 or .pfx for type "PKCS12" (the specification name is PKCS#12, but the # is not used in the Java keystore type name).

In addition, BouncyCastle also provides its implementations, in particular BKS (typically using the .bks extension), which is frequently used for Android applications.

Crosier answered 27/1, 2012 at 22:40 Comment(5)

I can confirm than changing the extension from .jks to .keystore will work. Please backup before doing it !! – Heck 4/9, 2019 at 19:24

sorry, still don't quite understand .keystore vs .jks. – Halfpenny 18/1, 2021 at 3:9

@Halfpenny It depends on the context, they are just file name extensions. Often, they'll be the same actual type of file (a JKS file), but of course, file extensions are just an indication. – Crosier 18/1, 2021 at 10:40

@Crosier Keystore has three meanings depends on the context(as described in answer). but for .keystore file and .jks file, they are the same(just file extension differents), both them contains public/private certificate and password, right? – Halfpenny 19/1, 2021 at 2:29

Hi, Bruno we take your answer for the spanish version of SO, es.#162955 – Stratification 23/2, 2022 at 0:3

110

You are confused on this.

A keystore is a container of certificates, private keys etc.

There are specifications of what should be the format of this keystore and the predominant is the #PKCS12

JKS is Java's keystore implementation. There is also BKS etc.

These are all keystore types.

So to answer your question:

difference between .keystore files and .jks files

There is none. JKS are keystore files. There is difference though between keystore types. E.g. JKS vs #PKCS12

Beera answered 25/1, 2012 at 21:27 Comment(4)

I'd say the predominant keystore type is JKS, not PKCS#12, only because the word "keystore" is part of the Java terminology, only rarely used outside the context of Java. This being said, PKCS#12 files are quite common indeed (typically .pfx or .p12). – Crosier 27/1, 2012 at 22:19

@Bruno:You mean the predominant type in Java applications. – Beera 28/1, 2012 at 7:52

No, I mean that the word "keystore" is mostly a Java word. Other applications/platforms rarely call the place/file where keys and certificates are store a "keystore". MS calls PKCS#12 files "Personal Information Exchange" files, for example. Others have names like "key chain" (OSX), "certificate database" (NSS), "certificate store", "key rings", ..., for the places where they store keys and certificates, not really "keystore". – Crosier 28/1, 2012 at 16:21

@Bruno:I see what you mean.Good point.I hadn't thought of it like this before.Thanks – Beera 28/1, 2012 at 19:17

One reason to choose .keystore over .jks is that Unity recognizes the former but not the latter when you're navigating to select your keystore file (Unity 2017.3, macOS).

Tolmann answered 24/1, 2018 at 23:27 Comment(2)

What is this 'unity' you referred to. I have same issue of .jks file not getting identified by my java agent. – Saltpeter 3/2, 2022 at 15:43

@Saltpeter I'm referring to the "Unity" game engine (unity3d.com). – Tolmann 1/5, 2022 at 3:15

Recommended topics

Hot tags