Tuesday, August 3, 2021

Difference between trustStore and keyStore in Java - SSL

trustStore vs keyStore in Java
trustStore and keyStore are used in the context of setting up SSL connection in Java application between client and server. TrustStore and keyStore are very much similar in terms of construct and structure as both are managed by keytool command and represented by KeyStore programmatically but they often confused Java programmers both beginners and intermediate alike. The only difference between trustStore and keyStore is what they store and its purpose. In SSL handshake purpose of trustStore is to verify credentials and the purpose of keyStore is to provide credentials. keyStore in Java stores private key and certificates corresponding to there public keys and require if you are SSL Server or SSL requires client authentication.

TrustStore stores certificates from third parties, your Java application communicate or certificates signed by CA(certificate authorities like Verisign, Thawte, Geotrust, or GoDaddy) which can be used to identify third parties. 

This is the second article on setting up SSL on Java program, In the last post we have seen How to import SSL certificates into trustStore and keyStore and In this Java the article we will some differences between keystore and truststore in Java, which will help to understand this concept better.

Difference between trustStore and keyStore in Java

Difference between trustStore and keyStore in Java - SSL setupHere is the list of the most common difference between keyStore and trustStore. I have already mentioned key the difference in the first paragraph which is related to the purpose of keyStore and trustStore, which we will see here in a little more detail.



1. Purpose

The first and major difference between trustStore and keyStore is that trustStore is used by TrustManager and keyStore is used by KeyManager class in Java. KeyManager and TrustManager perform different jobs in Java, TrustManager determines whether the remote connection should be trusted or not i.e. whether the remote party is who it claims to and KeyManager decides which authentication credentials should be sent to the remote host for authentication during SSL handshake. 

if you are an SSL Server you will use a private key during key exchange algorithm and send certificates corresponding to your public keys to client, this certificate is acquired from keyStore. 

On the SSL client-side, if its written in Java, it will use certificates stored in trustStore to verify the identity of the Server. SSL certificates are most commonly comes as a .cer file which is added into keyStore or trustStore by using any key management utility e.g. keytool. See my post How to add certificates into trustStore for step by step guide on adding certificates into keyStore or trustStore in Java.


2. Content

Another difference between trustStore and keyStore in rather simple terms are that keyStore contains private keys and is required only if you are running a Server in SSL connection or you have enabled client authentication on the server-side. On the other hand trustStore stores public-key or certificates from CA (Certificate Authorities) which is used to trust remote party or SSL connection.


3. Path

One more difference between trustStore vs KeyStore is that we use -Djavax.net.ssl.keyStore to specify path for keyStore and -Djavax.net.ssl.trustStore to specify the path for trustStore in Java.


4. Personal Certificates

Another difference between trustStore and keyStore is that, If you store your personal certificate along with the signer certificate in trustStore,  you can use the same file as both trustStore and keyStore. By the way, it's a good idea to separate personal certificate and signer certificates in keyStore and trustStore for better management.


5. Password

One more API level difference between keyStore and trustStore is that  password of keyStore is provided using -Djavax.net.ssl.keyStorePassword and the password of trustStore is provided using -Djavax.net.ssl.trustStorePassword.


That’s all about the difference between trustStore and keyStore in Java. You can still use the same file as trustStore and keyStore in Java to avoid maintaining two separate files, but its a good idea to segregate public keys and private keys in two different files, it's more verbose and self-explanatory that which one holds CA certificates to trust the server and which contains the client's private keys.


Related Java tutorials

15 comments:

  1. An other consequence of your point 2) is that if one wants to create a self-signed certificate, it is only possible with a keystore. Signing a certificate needs a private key, which is not present in a truststore. Thanks for helping me understand this more exactly with your article.

    ReplyDelete
  2. @Alice and @Mansura, thanks, glad to hear that you learn something about trust store and key store in Java.

    ReplyDelete
  3. nice article. finally after a lot of internet digging, understand the topic

    ReplyDelete
  4. Thanks for detailed explanation. It's very helpful.

    ReplyDelete
  5. Dear Sir. Could you please untangle the following sentence:
    "keyStore in Java stores private key and certificates corresponding to there public keys and require if you are SSL Server or SSL requires client authentication."
    Unfortunatelly I can't understand it even gramatically.

    ReplyDelete
    Replies
    1. "keyStore in Java stores private key" means things that go into the keystore should be things that strictly belong to you (ie. your digital identity) (eg. your private key and/or CA-signed certificates).

      "certificates corresponding to there public keys" means the CA-signed certificate that has been provided to you by a Certificate Authority. Explanation: In order to get a CA-signed certificate you need to submit a CSR (Certificate Signing Request). As part of the CSR, you must select a public key (that you own) that will be attached to all the other information in the CSR.

      "and require if you are SSL Server or SSL requires client authentication." means if you are running a server of some kind (eg. typically a website on "mydomain.com"), then clients connecting to your server want to know that "mydomain.com" truely belongs to you. In order to achieve this, they will send you a message that only your private key or CA-signed certificate can decrypt (these keys are stored server-side); if you send them a correctly decrypted message, then this proves that "mydomain.com" actually belongs to you.

      Delete
  6. Most useful article. Thanks for the help

    ReplyDelete
  7. Did he just said to store private key then public key. So private or public? confusing as hell.

    ReplyDelete
  8. In order to understand truststore and keystore, you need to first understand how public key-private key works. You see, there are two keys, one is public key which everybody knows and one is private key which only you know. keystore is where public keys are stored and trustStore is where private keys are stored.

    ReplyDelete