Trust Store vs Key Store - creating with keytool

Asked 14/6, 2011 at 8:23 Answered 24/10, 2019 at 4:57

302

I understand that the keystore would usually hold private/public keys and the trust store only public keys (and represents the list of trusted parties you intend to communicate with). Well, that's my first assumption, so if that's not correct, I probably haven't started very well...

I was interested though in understanding how / when you distinguish the stores when using keytool.

So, far I've created a keystore using

keytool -import -alias bob -file bob.crt -keystore keystore.ks

which creates my keystore.ks file. I answer yes to the question do I trust bob but it is unclear to me if this has created a keystore file or a truststore file? I can set up my application to use the file as either.

-Djavax.net.ssl.keyStore=keystore.ks -Djavax.net.ssl.keyStorePassword=x
-Djavax.net.ssl.trustStore=keystore.ks -Djavax.net.ssl.trustStorePassword=x

and with System.setProperty( "javax.net.debug", "ssl") set, I can see the certificate under trusted certifications (but not under the keystore section). The particular certificate I'm importing has only a public key and I intend to use it to send stuff over an SSL connection to Bob (but perhaps that's best left for another question!).

Any pointers or clarifications would be much appreciated. Is the output of keytool the same whatever you import and its just convention that says one is a keystore and the other a trust store? What's the relationship when using SSL etc?

Skate answered 14/6, 2011 at 8:23 Comment(5)

I'm not sure what you mean by "The particular certificate I'm importing has only a public key": is it just a public key (i.e. not a certificate) or a non-CA certificate? – Christianchristiana 14/6, 2011 at 9:27

hmmm, not sure. I exported from my browser as a PEM file. Does that help? – Skate 14/6, 2011 at 9:31

If it's exported from the browser, it's probably a certificate. Is it a server certificate (with a CN or subjectAltName matching the name of a server)? Is it a CA certificate (look under Basic Constraints, you should be able to see this using your browser). – Christianchristiana 14/6, 2011 at 9:36

tl;dr: trust stores contain public, trusted, root (CA) certs, whereas identity/key stores contain private, identity certs; file-wise, however, they are the same. – Glucoside 25/8, 2017 at 16:47

there are no technical difference, just some logic and comfort things to separate trusted certificates from server/client certificates. – Lavina 25/3, 2021 at 16:1

412

The terminology is a bit confusing indeed, but both javax.net.ssl.keyStore and javax.net.ssl.trustStore are used to specify which keystores to use, for two different purposes. Keystores come in various formats and are not even necessarily files (see this question), and keytool is just a tool to perform various operations on them (import/export/list/...).

The javax.net.ssl.keyStore and javax.net.ssl.trustStore parameters are the default parameters used to build KeyManagers and TrustManagers (respectively), then used to build an SSLContext which essentially contains the SSL/TLS settings to use when making an SSL/TLS connection via an SSLSocketFactory or an SSLEngine. These system properties are just where the default values come from, which is then used by SSLContext.getDefault(), itself used by SSLSocketFactory.getDefault() for example. (All of this can be customized via the API in a number of places, if you don't want to use the default values and that specific SSLContexts for a given purpose.)

The difference between the KeyManager and TrustManager (and thus between javax.net.ssl.keyStore and javax.net.ssl.trustStore) is as follows (quoted from the JSSE ref guide):

TrustManager: Determines whether the remote authentication credentials (and thus the connection) should be trusted.

KeyManager: Determines which authentication credentials to send to the remote host.

(Other parameters are available and their default values are described in the JSSE ref guide. Note that while there is a default value for the trust store, there isn't one for the key store.)

Essentially, the keystore in javax.net.ssl.keyStore is meant to contain your private keys and certificates, whereas the javax.net.ssl.trustStore is meant to contain the CA certificates you're willing to trust when a remote party presents its certificate. In some cases, they can be one and the same store, although it's often better practice to use distinct stores (especially when they're file-based).

Christianchristiana answered 14/6, 2011 at 9:26 Comment(4)

thanks for the reply, it clears things up a little. I'm still confused though when it comes to usage, I can use a pk12 pri/pub key (xxx.p12) as a keystore (via -D) and create a SSL connection (trusted) without any mention of a truststore via -D... oh well. – Skate 15/6, 2011 at 8:3

You don't need to specify a truststore, because there's a default value for it (it's bundled with the JRE), usually in $JAVA_HOME/lib/security/cacerts (see 2nd JSSE ref guide link I sent). Like browsers, it contains a default set of trusted CA certificates. In general, a client will always use a truststore to check the server cert but the keystore will only be used if the server requests a client cert, and the server will always use a keystore for its own key+cert but the truststore will only be used if the client sends a client certificate. – Christianchristiana 15/6, 2011 at 9:9

Thanks for useful information. In Weblogic, there is "identity-key-store" which stores the server's SSL certificate and then there is "trust-key-store" which stores the SSL certificates which server trusts, so am I correct if I say that "identity-key-store" is nothing but a "keystore" and "trust-key-store" is nothing but a "truststore" ? – Kodok 13/2, 2017 at 15:51

@Christianchristiana also should we note that when there's a "jssecacerts" , "cacerts" is ignored ? – Conventual 4/7, 2019 at 13:45

142

To explain in common usecase/purpose or layman way:

TrustStore : Used to store the certificates of trusted entities. A process can maintain a store of certificates of all the trusted parties which it trusts.

keyStore : Used to store the server keys (both public and private) along with the signed certificate.

During the SSL handshake,

A client tries to access https://
And thus, Server responds by providing a SSL certificate (which is stored in its keyStore)
Now, the client receives the SSL certificate and verifies it via trustStore (i.e the client's trustStore already has pre-defined set of certificates which it trusts.). Its like : Can I trust this server ? Is this the same server whom I am trying to talk to ? No middle man attacks ?
Once, the client verifies that it is talking to server which it trusts, then SSL communication can happen over a shared secret key.

Note : I am not talking here anything about client authentication on server side. If a server wants to do a client authentication too, then the server also maintains a trustStore to verify client. Then it becomes mutual TLS.

Claraclarabella answered 16/2, 2018 at 19:12 Comment(0)

Keystore is used by a server to store private keys, and Truststore is used by third party client to store public keys provided by server to access. I have done that in my production application. Below are the steps for generating java certificates for SSL communication:

Generate a certificate using keygen command in windows:

keytool -genkey -keystore server.keystore -alias mycert -keyalg RSA -keysize 2048 -validity 3950

Self certify the certificate:

keytool -selfcert -alias mycert -keystore server.keystore -validity 3950

Export certificate to folder:

keytool -export -alias mycert -keystore server.keystore -rfc -file mycert.cer

Import Certificate into client Truststore:

keytool -importcert -alias mycert -file mycert.cer -keystore truststore

Cater answered 22/12, 2016 at 10:10 Comment(1)

Hi, I have one scenario where I have two different applications within the same container (tomcat). From both applications, I have to call the rest endpoints from both sides to each application. Like, from A to B and B to A (A and B are the two applications). Do I need to use the truststore in this scenario? As I am using custom rest client which is using keystore. Please suggest. – Dree 13/6, 2019 at 5:0

There is no difference between keystore and truststore files. Both are files in the proprietary JKS file format. The distinction is in the use: To the best of my knowledge, Java will only use the store that is referenced by the -Djavax.net.ssl.trustStore system property to look for certificates to trust when creating SSL connections. Same for keys and -Djavax.net.ssl.keyStore. But in theory it's fine to use one and the same file for trust- and keystores.

Proprietary answered 14/6, 2011 at 8:35 Comment(3)

You can use different types of keystore (e.g., PKCS12) by setting the javax.net.ssl.keyStoreType and javax.net.ssl.trustStoreType system properties. – Culdesac 14/6, 2011 at 8:53

@Donal: Good addition. Do you happen to know if there is a list of all supported containers? I only know of PKCS12 and JKS (the former being the result of trial and error...). – Proprietary 14/6, 2011 at 9:1

the keystore formats vary depending on the providers available (see this list for those bundled with the Oracle JRE by default). There was also a discussion in this question. Other providers (e.g. BouncyCastle) can be used for other formats. – Christianchristiana 14/6, 2011 at 9:42

These are the steps to create a Truststore in your local machine using Keytool. Steps to create truststore for a URL in your local machine.

1) Hit the url in the browser using chrome

2) Check for the "i" icon to the left of the url in the chrome and click it

3) Check for certificate option and click it and a Dialog box will open

4) check the "certificate path" tab for the number of certificates available to create the truststore

5) Go the "details" tab -> click"Copy to File" -> Give the path and the name for the certificate you want to create.

6) Check if it has parent certificates and follow the point "5".

7) After all the certificates are being create open Command Prompt and navigate to the path where you created the certificates.

8) provide the below Keytool command to add the certificates and create a truststore.

Sample: 
   keytool -import -alias abcdefg -file abcdefg.cer -keystore cacerts
        where "abcdefg" is the alias name and "abcdefg.cer" is the actual certificate name and "cacerts" is the truststore name

9) Provide the keytool command for all the certificates and add them to the trust store.

    keytool -list -v -keystore cacerts

Refractor answered 24/10, 2019 at 4:57 Comment(0)

-1

keystore simply stores private keys, wheras truststore stores public keys. You will want to generate a java certificate for SSL communication. You can use a keygen command in windows, this will probably be the most easy solution.

Sniggle answered 19/12, 2017 at 13:58 Comment(2)

A truststore stores trusted certicificates. – Doloroso 6/12, 2018 at 10:23

@Doloroso trusted certificates ** :) – Ginzburg 9/1, 2022 at 23:8

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags