keystore vs. truststore
First and foremost, it's important to recongize the difference between a keystore and a truststore. Let's consider a scenario where a Tomcat application server is being used. There will be both inbound and outbound requests. Typically, an inbound request is when a remote system makes a request for an app deployed to Tomcat. Typically, and outbound request is when an app deployed to Tomcat needs to go out, such as when making a query to a remote SQL database.
Inbound requests use a keystore to secure the requests. Outbound requests use a truststore to secure the request. So, when you see keystore, think "inbound" and when you see truststore think "outbound".
Create a key store
A truststore contains one or more trustedCertEntry but should not contain any PrivateKeyEntry, which is a key pair (a private key and one or more public certificates). In this example, a keystore named keystore.p12 is created.
openssl pkcs12 -export -out example.p12 -in example.com.cer -inkey example.com.key
The Java keytool command can be used to list the trustedCertEntry and PrivateKeyEntry in the keystore. Notice in this example that the alias of the PrivateKeyEntry is 1. By default, if an alias is not specified, the alias defaults to 1.
~]# keytool -keystore /path/to/example.p12 -storetype pkcs12 -list
Enter keystore password:
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 1 entry
1, Feb 28, 2023, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 14:8C:CD:59:A9:C4:48:45:33:28:C3:AE:E7:6C:B6:1E:0A:F5:3B:9C:64:E5:BB:02:69:30:81:D9:6D:5F:06:AD
The -name option can be used to give the trustedCertEntry or PrivateKeyEntry an alias.
openssl pkcs12 -export -out example.p12 -in example.com.cer -inkey example.com.key -name example.com
Now, the entry in the keystore has the specified alias.
~]# keytool -keystore /path/to/example.p12 -storetype pkcs12 -list
Enter keystore password:
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 1 entry
example.com, Feb 28, 2023, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 14:8C:CD:59:A9:C4:48:45:33:28:C3:AE:E7:6C:B6:1E:0A:F5:3B:9C:64:E5:BB:02:69:30:81:D9:6D:5F:06:AD
Once the keystore has been created, the openssl pkcs12 command with the -info option can be used to display the public certificates and private key in the keystore, which should show that example.p12 contains a private key, meaning that example.p12 is a keystore, not a truststore.
~]# openssl pkcs12 -in example.p12 -info
MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
localKeyID: E5 6D 55 73 09 C7 DF 9D C6 B4 F4 13 A2 92 F6 1E 21 62 BA 31
subject=/C=US/ST=WI/L=Appleton/O=demo/OU=demo
issuer=/C=US/ST=WI/L=Appleton/O=demo/OU=demo
-----BEGIN CERTIFICATE-----
MIIDEjCCAfoCCQCXoHahGXonlDANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJV
UzELMAkGA1UECAwCV0kxETAPBgNVBAcMCEFwcGxldG9uMQ0wCwYDVQQKDARkZW1v
MQ0wCwYDVQQLDARkZW1vMB4XDTIwMDYwNTEwNTkwMFoXDTIxMDYwNTEwNTkwMFow
SzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldJMREwDwYDVQQHDAhBcHBsZXRvbjEN
MAsGA1UECgwEZGVtbzENMAsGA1UECwwEZGVtbzCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAOe9uSinqxx+Rz+0TS44adz0UgNNhSsY5AkULpKGh5PIrWzX
qwCZCMxLxArE9ywlV5ud6qEjX7LslXTkzH5kBjm6QxjXKxl2poeuRVdyBnECyIIs
J4FY8n4l6bjdac3UfP8i8Ut2gv5xs/JiE1o0GO2WJqt4RnwyHLBNoLZLT6B7TaP8
vQZ/PDLOZPxZHW+pGqVOi8Rl1qOSYgEXa4EagTL+b1dRC1ueaxLSF9BAEnZymCvu
oVpVSefkfPNy71E2A2Ir5T6POdNCDKTQcJzEZavgk9MJseUNCrQHnaEoc+z/CFMn
1KthGSWVFg6PNBcPapoatg6XHs45tEcSz2fdsC0CAwEAATANBgkqhkiG9w0BAQsF
AAOCAQEAGNp8ZGM0KgfZQBnYgMZlml1k4VW/QGGgefdSkmDHLppMWfCOGnaH1RrU
8Oj0cdfM48wsZN5ZfAEGavEunPYxRjiH8RJJz4wkuZazIuXvT46tnavLuZNJwr1c
OYPuJovcDutBOtSlrL+sqKWFcDABEJvpJ9BPCWMdUVRwXDxoANdM0Rfg75CSUhkf
1cYMqO9yZJx1IWFBPa+AAHyLrGacjo88Q3pWcdJVTkE8/mjcIqt50OuR03PN579f
z7m8gEpjhd1RgzwaADIpDmbwOVMmIY7SIhBSkhZDvuLa/hARANbIvuYY9bjLzCPc
81ZtsHyRVksGFn+29yN61Tn1hQyK9g==
-----END CERTIFICATE-----
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Bag Attributes
localKeyID: E5 6D 55 73 09 C7 DF 9D C6 B4 F4 13 A2 92 F6 1E 21 62 BA 31
Key Attributes: <No Attributes>
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIsYR3z89yO00CAggA
MBQGCCqGSIb3DQMHBAh8/RzfBSZ6cQSCBMh9/SBfIDUx4SmVkd1lI0s8gNr7BkC4
tk9NFmly17rXoJ5iF1tWYxzwx2rmgnmkqatmBeeBOY8HdtiyMrBw+hXeAVDlpYFc
/SkjDhMank7ZFRwGm8oWCCaFEpX8gcmCKKbl3DC0/2I0hZ9dRXCd3DkzcPd1map+
HnRrEEl902mZXcv4vQP7wB7CYlBVsVZe2EyPZfPI9q1Td0vnBJ+169QvZMPkltHz
LOzxQihswR3Ei8j1ey9SLruzoCtJ9whfilI2oaxl893K9XkvzPA5DNnTDMfgoTTJ
/TY0NxmgLg/5dV3Dv/Y2B1su1BrVmjQT7Uux+5TkIMiiriKMwfo2maBc6ztOQIia
yNEmgLWVNYG7fh5nQs86kacLmCvMBO+U4RdGzoRz0U0TRNBCkyZ3jma/Xmh9YqVh
bGT08erhYxrXJPxig2Jss45oGA/7aQofJD4ducj2dKX5jwRt0iwdQt2yyDUIqHeH
VToOZb4P29wQvd7wmXkmq4BOhEG9a1BOHsO+sXhttrsqgeAzzxav0421IhYR5z1n
Uwunyo56k0CDoMAiGXMJlcNwRzUhmaqlNZNuFZcikW1A/wgVr9XGw0UfDgocWRSN
NdXFMWh7sGyn9ganMaAT4gBbTiuxBcs7pf3/bJUc0ofXY27fvKfwcvBdKvKZQwIc
MCPjc75KEUnAZahoDr9gKQBL0DUlWcWZc8YUHr25/ZY344pdQrELK2TRBgeOD/rd
Qy8jML3E2UWipAl7+Ggh+ydMQY0H6/5WumRAW/DxFCRzGQfMVan1vIEDlY+Lw2j9
jjvK43wRlcQZ20C80/BkmLfgfh8nKt9rPMisJ0g4dh5uiDR7tbPvVAzbLe00usGl
Tu+uW+qeHjvLy2+17lei5KLzk7tawNZzBXCKqkml5gNcGsxeJqWbql8EDMvSphTS
xsKe73/tFgMw0z10xLYD9076z8uYSp3JiG2UXrfWP9oUO2X6c5DmHX5ygUVw+/F1
vp9nwL1QBHeS9YTCsfNxl03nAUVhV6DYXBmbfQSFGgY4bAzHuAdKKDe+s0iWo/8w
iW0bhUXCtoE1dyINjzH+kwiC8DOOP9ta7SisQnTmSgV0DYaOUHNKgl2EbaTk9oub
jZ/pD/cMgDE0S1jWoGYu1LlwVcXz1rjRC/K/STHZtxu7fZT0T5fEZwqLIj72NXgI
I8Yhv2AeDGDCnLLC1BFW0njKboK7/WmAmi+Z2XZshiojR104m2Qp7s83yJ4I7QTn
Cs4OMk7cAL1qP5/oLbciw1Y7fkFWw5THeF0kqN3cnXmG/S4smaxNS9FWOBp4Dnu4
Pl9DMn+KrgT0vsUbZjx0ZZ2uDB53n33jJ/LOc3KDiIU4hECAbc31ZIqkMVwije1M
4IL7PXXCjGJMlDDUHIqpcuLVKsIjUSO1P5ljz+Wa3myOn0AAAzLlZZQvauRjEPFa
S6+pGD0o+NHoNiI9KcWEaExCcUBcZYmO7nHeAoWqRUWuetH6LWmu5dkE+5mCr3Mc
qOe1Aq+u+z5TBC4Pkl5PODySKUveX+rws4ZLq9kQBZrw4ILgwXim/XQOoCNS8RRA
hsiffaA/KxN7gFuNvC3ssNouYp9JufKBs87nLDzEFqCke8Un/0MjAkG/BygdtKPi
MME=
-----END ENCRYPTED PRIVATE KEY-----
Did you find this article helpful?
If so, consider buying me a coffee over at 