Beginner’s guide to Key-stores and Trust-stores
Overview
We come across the 2 terms key-store, and trust-store more often when our applications need to communicate over SSL/TLS.
In this blog, I will provide an overview of the differences between a Java key-store and a trust-store.
Usually, these files are password-protected and they reside in the same file system of our application. For example, in WSO2 Identity Server file system if you navigate to <IS_HOME>/repository/resources/security you can see the keystore as wso2carbon.jks and trust-store as client-truststore.jks.
KeyStore
A Java keystore stores private keys, certificates with public keys, or just secret keys that a specific program should present to both parties (server or client) for verification. It stores each by an alias which is the name for our certificate, for ease of lookup.
Keystores hold keys that our application owns, which we can use to prove the integrity of a message and the authenticity of the sender, by signing payloads.
Generally, a keystore is used by a server and if that requires HTTPS. During an SSL handshake, the server looks up the private key from the keystore, and presents its corresponding public key and certificate to the client.
Similarly, if the client also needs to authenticate itself then the client also has a keystore and also presents its public key and certificate. This is called mutual authentication.
Apart from those, public keys can verify or encrypt data, whereas the private keys can sign or decrypt data. Secret keys can perform these functions as well. A keystore is a place that we can hold onto these keys.
TrustStore
A truststore is the opposite. While a keystore typically holds onto certificates that identify us, a truststore holds onto certificates that identify others.
In Java, we use it to trust the third party we’re about to communicate with.
For example, if a client talks to a Java-based server over HTTPS, the server will look up the associated key from its keyStore and present the public key and certificate to the client.
Then the client look up the associated certificate in our trustStore. If the certificate or Certificate Authorities presented by the external server isn’t in our truststore, we’ll get an SSLHandshakeException, and the connection won’t be set up successfully.
In java programming, this concept is used whenever we are trying to communicate with third-party applications. The connection between the client and the server are diagrammatically represented for the keyStore and trustStore, which is as follows.
Comparison
What is Keytool ?
Along with these 2 keystores, another term that we frequently use is the Keytool. It is a utility for to managing keys and certificates and store them in a keystore. The keytool command allows us to create self-signed certificates and show information about the keystore. You can also install a software such as Keytool explorer from here, using which we can perform many keytool commands from it’s GUI itself.
Below are the most common Java Keytool keystore commands and their usages.
- Generate a Java keystore and key pair
keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks -keysize 2048- Import a root or intermediate CA certificate to an existing Java keystore
keytool -import -trustcacerts -alias root -file Thawte.crt -keystore keystore.jks- Import a signed primary certificate to an existing Java keystore
keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore keystore.jks- Generate a keystore and self-signed certificate
keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validi- Export a certificate from a keystore
keytool -export -alias mydomain -file mydomain.crt -keystore keystore.jks- List Trusted CA Certs
keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts- Delete a certificate from a Java Keytool keystore
keytool -delete -alias mydomain -keystore keystore.jksConclusion
In this blog, we discussed the main differences between a keystore and a truststore, along with their usages. We also discussed about the keytool command which is frequently used when working with keystores.
Thank you for reading.