Trust Store VS Key Store - Creating With Keytool

Trust Store vs Key Store - creating with keytool

The terminology is a bit confusing indeed, but both javax.net.ssl.keyStore and javax.net.ssl.trustStore are used to specify which keystores to use, for two different purposes. Keystores come in various formats and are not even necessarily files (see this question), and keytool is just a tool to perform various operations on them (import/export/list/...).

The javax.net.ssl.keyStore and javax.net.ssl.trustStore parameters are the default parameters used to build KeyManagers and TrustManagers (respectively), then used to build an SSLContext which essentially contains the SSL/TLS settings to use when making an SSL/TLS connection via an SSLSocketFactory or an SSLEngine. These system properties are just where the default values come from, which is then used by SSLContext.getDefault(), itself used by SSLSocketFactory.getDefault() for example. (All of this can be customized via the API in a number of places, if you don't want to use the default values and that specific SSLContexts for a given purpose.)

The difference between the KeyManager and TrustManager (and thus between javax.net.ssl.keyStore and javax.net.ssl.trustStore) is as follows (quoted from the JSSE ref guide):

TrustManager: Determines whether the
remote authentication credentials (and
thus the connection) should be
trusted.

KeyManager: Determines which
authentication credentials to send to
the remote host.

(Other parameters are available and their default values are described in the JSSE ref guide. Note that while there is a default value for the trust store, there isn't one for the key store.)

Essentially, the keystore in javax.net.ssl.keyStore is meant to contain your private keys and certificates, whereas the javax.net.ssl.trustStore is meant to contain the CA certificates you're willing to trust when a remote party presents its certificate. In some cases, they can be one and the same store, although it's often better practice to use distinct stores (especially when they're file-based).

How to identify whether the .jks is a keystore or a truststore?

There's not much of a difference, you can theoretically use one store for both purposes; Not that it's recommended though..

However, if you use Java Keytool to -list the contents of your stores, a Keystore should contain mainly PrivateKeyEntrys and a Truststore should contain mainly trustedCertEntrys

KeyStore:

Certificate fingerprint (SHA1): XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
<alias-1>, MMM dd, yyyy, PrivateKeyEntry,
Certificate fingerprint (SHA1): XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
<alias-2>, MMM dd, yyyy, PrivateKeyEntry,

TrustStore:

Certificate fingerprint (SHA1): XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
<alias-1>, MMM dd, yyyy, trustedCertEntry,
Certificate fingerprint (SHA1): XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
<alias-2>, MMM dd, yyyy, trustedCertEntry,

Relationship between key store, trust store, and certificate

• Store: keyStore would usually hold private/public keys and the TrustStore stores only public keys and represents the list of trusted parties i.e. CA

• Purpose: In SSL handshake purpose of TrustStore is to verify credentials and purpose of keyStore is to provide credential.

• keyStore is used to store your credential (server or client) i.e. private keys and certificates while TrustStore is used to store others credential (Certificates from CA) contain the CA certificates you're willing to trust when a remote party presents its certificate.

• TrustStore and keyStore are very much similar in terms of construct and structure as both are managed by keytool command(binary comes with JDK installation inside JAVA_HOME/bin).

• JAVA_HOME/JRE/Security/cacerts is a TrustStore, where java stores public certificates of root CA's to authenticate i.e. it is used to authenticate peers(i.e. servers). In Java, one file can represent both KeyStore vs TrustStore but it's better to separate private and public credential both for security and maintenance reason.

• JAVA_HOME/bin/keytool is a tool to manage key and certificates.

• KeyStore is needed when you are setting up server side on SSL, it is used to store server's identity certificate, which server will present to a client on the connection while trust store setup on client side must contain to make the connection work. If you browser to connect to any website over SSL it verifies certificate presented by server against its TrustStore.

source

How to generate keystore and truststore

I followed This link.

1.Generate keystore(At server):

keytool -genkey -alias bmc -keyalg RSA -keystore KeyStore.jks -keysize 2048

2.Generate new ca-cert and ca-key:

openssl req -new -x509 -keyout ca-key -out ca-cert

3.Extracting cert/creating cert sign req(csr):

keytool -keystore KeyStore.jks -alias bmc -certreq -file cert-file

4.Sign the “cert-file” and cert-signed wil be the new cert:

openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out 
       cert-signed -days 365 -CAcreateserial -passin pass:yourpass

5.importing the ca-cert to keystore file:

keytool -keystore KeyStore.jks -alias CARoot -import -file ca-cert

6.import cert-signed to keystore:

keytool -keystore KeyStore.jks -alias bmc -import -file cert-signed

7.Copy ca-cert into client machine and generate truststore: (At client)

keytool -keystore truststore.jks -alias bmc -import -file ca-cert-s

8.Copy ca-cert into client machine and generate truststore: (At server)

keytool -keystore truststore.jks -alias bmc -import -file ca-cert-c

**Repeat the step(1-6) at client side and generate truststore at server side by importing ca-cert of client(step 8)

Renamed ca-cert after step 6.

Ex: ca-cert-s generated at server side and ca-cert-c at client and exchanged each other for generating truststore.

Should we point KeyStore and TrustStore to the same .jks file?

No. A truststore contains nothing but public data: the public certificates of CAs that you trust. A KeyStore contains a private key and its certificate: your digital identity. They may even be controlled by different people. Don't conflate their functions.

Truststore and Keystore Definitions

A keystore contains private keys, and the certificates with their corresponding public keys.

A truststore contains certificates from other parties that you expect to communicate with, or from Certificate Authorities that you trust to identify other parties.

Why I need to provide both key store and trust store for an SSL connection to IBM MQ

As per SSL configuration of the Websphere MQ Java/JMS client guide, point 2. Create keyStore you are most likely using certificates for client authentication. This authentication setup requires a keyStore:

Complete this section only if you wish to have client authentication when a connection is made to a Queue Manager. If client authentication has not been specified on the channel, you do not need to complete this section.

The keyStore is essentially the same as a trustStore, except that it holds the client's personal certificate, and the JSSE requires a password for access. You can in fact add your personal certificate to the trustStore created earlier and it will act as both trustStore and keyStore, but the password that was not required before will now need to be passed to the JSSE in order for it to access your personal certificate.

You can verify this on the server as shown in the
Using self-signed certificates for mutual authentication of a client and queue manager guide by running:

DISPLAY CHSTATUS(<your channel name>) SSLPEER SSLCERTI

---

Related Topics