Keystore vs Truststore - Similarities

Usually, the keystore and truststore:

• are used when a Java application needs to communicate over TLS
• are password-protected files that sit on the same file system as our running application. The default format used for these files is JKS until Java 8. Since Java 9, though, the default keystore format is PKCS12. The biggest difference between JKS and PKCS12 is that JKS is a format specific to Java, while PKCS12 is a standardized and language-neutral way of storing encrypted private keys and certificates

Keystore vs Truststore - Differences

Keystore vs Truststore - SLL/TLS Handshake

Let’s say we have a client that wants to communicate with a server over SSL/TLS

The server will look up the associated key from its keystore and present the public key and certificate to the client.

The client, then looks up the associated certificate in our truststore. If the certificate or Certificate Authorities presented by the server is not in our truststore, we’ll get an SSLHandshakeException and the connection won’t be set up successfully.

Interacting With Keystore and/or Truststore

We can interact with the keystore and/or truststore with either:

• Java programmatically
• command-line keytool

Default Keystore and Truststore

keystore

There’s no default keystore

truststore

Java has bundled a truststore called cacerts and it resides in either:

• Java <11 - $JAVA_HOME/jre/lib/security/cacerts
• Java ≥11 - $JAVA_HOME/lib/security/cacerts

On many Linux distros, often <JRE>/lib/security/cacerts is a symlink to /etc/ssl/certs/java/cacerts

The default password for this truststore is ‘changeit’

It contains default, trusted Certificate Authorities:

$ keytool -list -keystore $JAVA_HOME/lib/security/cacerts
Enter keystore password: changeit
Keystore type: JKS
Keystore provider: SUN
 
Your keystore contains 92 entries
 
verisignclass2g2ca [jdk], 2018-06-13, trustedCertEntry,
Certificate fingerprint (SHA1): B3:EA:C4:47:76:C9:C8:1C:EA:F2:9D:95:B6:CC:A0:08:1B:67:EC:9D
...

We see here that the truststore contains 92 trusted certificate entries and one of the entries is the verisignclass2gca entry. This means that the JVM will automatically trust certificates signed by verisignclass2g2ca

Setting Keystore and/or Truststore to be used in Java App

keystore

If we want to use an encrypted channel, we’ll have to set both:

• javax.net.ssl.keyStore
• javax.net.ssl.keyStorePassword

If our keystore format is different than the default, we use:

• javax.net.ssl.keyStoreType

To switch on logging for the SSL/TLS layer:

• javax.net.debug

java -Djavax.net.ssl.keyStore=/location/of/new/keystore-file \
     -Djavax.net.ssl.keyStorePassword=PASSWORD \
     -Djavax.net.ssl.keyStoreType=KeychainStore \
     -Djavax.net.debug=ALL \
     -jar MyApplication.jar

truststore

Overriding Default Truststore

specify own TrustStore via:

• javax.net.ssl.trustStore
• javax.net.ssl.trustStorePassword

If our truststore format is different than the default, we use:

• javax.net.ssl.trustStoreType

To switch on logging for the SSL/TLS layer:

• javax.net.debug

java -Djavax.net.ssl.trustStore=/location/of/new/truststore-file \
     -Djavax.net.ssl.trustStorePassword=PASSWORD \
     -Djavax.net.ssl.trustStoreType=KeychainStore \
     -Djavax.net.debug=ALL \
     -jar MyApplication.jar

Subpages

• keytool (java binary)

Code Examples

• https://github.com/java-code-examples/keystore-truststore-examples