FreeKB - Understanding the difference between a keystore and a truststore
Understanding the difference between a keystore and a truststore

Home > Search

Let's say you have a web server that produces HTTPS web pages, such as When a client submits a request to get a web page from your web server, a keystore on the web server can be used to encrypt the packets being exchanged between the client and the server. The keystore contains both the public certificate and the private key. A keystore is a file such as foo.p12.


On the other hand, let's say you know you are going to be requesting a resource from a server often over a secured channel, such as HTTPS. Instead of going through the negotiation process to have the server provide you with the public certificate, you could store the servers public certificate in a truststore. Then, when you need to request a resource from the server, you will already have the certificate, so that you can present the certificate to the server and get on with the request. A truststore is a file, such as trust.p12.


Both a keystore and a truststore are a file, such as key.p12 and trust.p12. The Java keytool command can be used to view, import, add, and remove public certificates and private keys from a keystore or truststore.

In this example, the key.p12 keystore contains a public certificate called "default". A private key doesn't contain user specific data, such as an "alias" or "expiration date", so the user specific data in the keystore represents the public certificates in the keystore, not the private key.

~]# keytool -list -v -storetype PKCS12 -storepass changeit -keystore /path/to/key.p12
. . .
Alias: default


In this example, the trust.p12 keystore contains a public certificate called "".

~]# keytool -list -v -storetype PKCS12 -storepass changeit -keystore /path/to/trust.p12
. . .


Add a Comment

We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.

Please enter in the box below so that we can be sure you are a human.