trustStore
vs keyStore in Java
trustStore and keyStore are used in context of setting up SSL connection
in Java application between client and server. TrustStore and keyStore are very
much similar in terms of construct and structure as both are managed by keytoolcommand and represented by KeyStore programatically but they
often confused Java programmer both beginners and intermediate alike. Only difference between trustStore and keyStore
is what they store and there purpose. In SSL handshake purpose of trustStore
is to verify credentials and purpose of keyStore is to provide
credential. keyStore in Java stores private key and certificates
corresponding to there public keys and require if you are SSL Server or SSL
requires client authentication. TrustStore stores certificates from third party,
your Java application communicate or certificates signed by CA(certificate
authorities like Verisign, Thawte, Geotrust or GoDaddy) which can
be used to identify third party. This is second article on setting up SSL on
Java program, In last post we have seen How
to import SSL certificates into trustStore and keyStore and In this Java
article we will some differences between keystore and truststore in Java, which
will help to understand this concept better.
Difference between trustStore and keyStore in Java
Here is the list of most common
difference between keyStore and trustStore. I have already mentioned key
difference in first paragraph which is related to purpose of keyStore and trustStore,
which we will see here is little more detail.
1)First and major difference between trustStore and keyStore is that
trustStore is used by TrustManager and keyStore is used by KeyManager class
in Java. KeyManager and TrustManager performs
different job in Java, TrustManager determines whether remote
connection should be trusted or not i.e. whether remote party is who it claims
to and KeyManager decides which authentication credentials should be sent to the remote host for authentication during SSL
handshake. if you are an SSL Server you will use private key during key
exchange algorithm and send certificates corresponding to your public keys to
client, this certificate is acquired from keyStore. On SSL client side, if its
written in Java, it will use certificates stored in trustStore to verify
identity of Server. SSL certificates are most commonly comes as .cer file which
is added into keyStore or trustStore by using any key management utility e.g. keytool.
See my post How
to add certificates into trustStore for step by step guide on adding
certificates into keyStore or trustStore in Java.
2) Another difference between trustStore and keyStore in rather
simple terms is that keyStore contains private keys and required only if you
are running a Server in SSL connection or you have enabled client authentication on server side. On the other hand trustStore stores
public key or certificates from CA (Certificate Authorities) which is used to
trust remote party or SSL connection.
3)One more difference between trustStore vs KeyStore is that we use -Djavax.net.ssl.keyStore to specify
path
for keyStore and -Djavax.net.ssl.trustStore to specify
path for trustStore in Java.
4) Another difference between trustStore and keyStore is that, If you
store your personal certificate along with signer certificate in trustStore, you can use same file as both trustStore and keyStore. By the
way its good idea to separate personal certificate and signer certificates in
keyStore and trustStore for better management.
5) One more API level difference between keyStore and trustStore is that password of keyStore is provided using -Djavax.net.ssl.keyStorePassword and password
of trustStore is provided using -Djavax.net.ssl.trustStorePassword.
That’s all on difference between trustStore and keyStore in Java. You can
still use same file as trustStore and keyStore in Java to
avoid maintaining two separate files, but its good idea to segregate public
keys and private keys in two different files, its more verbose and self explanatory that which one holds CA certificates to trust server and which
contains client's private keys.
Further Reading
Complete Java Masterclass
Learn Spring Security by Eugen
Java Fundamentals: The Java Language
Related
Java tutorials
13 comments :
An other consequence of your point 2) is that if one wants to create a self-signed certificate, it is only possible with a keystore. Signing a certificate needs a private key, which is not present in a truststore. Thanks for helping me understand this more exactly with your article.
nice sir . Keep it coming .
@Alice and @Mansura, thanks, glad to hear that you learn something about trust store and key store in Java.
nice article. finally after a lot of internet digging, understand the topic
*their
Thanks for detailed explanation. It's very helpful.
Nice explanation!
5 stars for this
great explanation!thanks
Dear Sir. Could you please untangle the following sentence:
"keyStore in Java stores private key and certificates corresponding to there public keys and require if you are SSL Server or SSL requires client authentication."
Unfortunatelly I can't understand it even gramatically.
Most useful article. Thanks for the help
Thanks @Munkumar
"keyStore in Java stores private key" means things that go into the keystore should be things that strictly belong to you (ie. your digital identity) (eg. your private key and/or CA-signed certificates).
"certificates corresponding to there public keys" means the CA-signed certificate that has been provided to you by a Certificate Authority. Explanation: In order to get a CA-signed certificate you need to submit a CSR (Certificate Signing Request). As part of the CSR, you must select a public key (that you own) that will be attached to all the other information in the CSR.
"and require if you are SSL Server or SSL requires client authentication." means if you are running a server of some kind (eg. typically a website on "mydomain.com"), then clients connecting to your server want to know that "mydomain.com" truely belongs to you. In order to achieve this, they will send you a message that only your private key or CA-signed certificate can decrypt (these keys are stored server-side); if you send them a correctly decrypted message, then this proves that "mydomain.com" actually belongs to you.
Post a Comment