Understanding the difference between a keystore and a truststore

Home > Search
  by

A keystore is used to store public certificates and private keys, and a truststore is used to store public certificates, so that SSL can be used to encrypt the connection between a client and server.

 

As an example, let's say you are requested an app from an application server over HTTPS.

 

The server will send the client it's public certificate from it's keystore. The client will then use the certificate to establish an SSL connection with the server, and the server will use the private key in its keystore to establish the SSL connection.

 

Both a keystore and a truststore are a file, such as key.p12 and trust.p12. The Java keytool command can be used to view, import, add, and remove public certificates and private keys from a keystore or truststore.

In this example, the key.p12 keystore contains a public certificate called "default". A private key doesn't contain user specific data, such as an "alias" or "expiration date", so the user specific data in the keystore represents the public certificates in the keystore, not the private key.

~]# keytool -list -v -storetype PKCS12 -storepass changeit -keystore /path/to/key.p12
. . .
Alias: default

 

In this example, the trust.p12 keystore contains a public certificate called "example.com".

~]# keytool -list -v -storetype PKCS12 -storepass changeit -keystore /path/to/trust.p12
. . .
Alias: example.com

 

A server may also contain a truststore. For example, let's say an app in an application server needs to make a secured connection to some other server. In this scenario, trust would need to be established between the application server and the remove server. In this scenario, the remote server would present it's certificate to the application server, and then the application server would store the remote servers certificate in it's trust store.



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter in the box below so that we can be sure you are a human.




Comments