Trust Store vs Key Store - creating with keytool
The terminology is a bit confusing indeed, but both javax.net.ssl.keyStore
and javax.net.ssl.trustStore
are used to specify which keystores to use, for two different purposes. Keystores come in various formats and are not even necessarily files (see this question), and keytool
is just a tool to perform various operations on them (import/export/list/...).
The javax.net.ssl.keyStore
and javax.net.ssl.trustStore
parameters are the default parameters used to build KeyManager
s and TrustManager
s (respectively), then used to build an SSLContext
which essentially contains the SSL/TLS settings to use when making an SSL/TLS connection via an SSLSocketFactory
or an SSLEngine
. These system properties are just where the default values come from, which is then used by SSLContext.getDefault()
, itself used by SSLSocketFactory.getDefault()
for example. (All of this can be customized via the API in a number of places, if you don't want to use the default values and that specific SSLContext
s for a given purpose.)
The difference between the KeyManager
and TrustManager
(and thus between javax.net.ssl.keyStore
and javax.net.ssl.trustStore
) is as follows (quoted from the JSSE ref guide):
TrustManager: Determines whether the
remote authentication credentials (and
thus the connection) should be
trusted.KeyManager: Determines which
authentication credentials to send to
the remote host.
(Other parameters are available and their default values are described in the JSSE ref guide. Note that while there is a default value for the trust store, there isn't one for the key store.)
Essentially, the keystore in javax.net.ssl.keyStore
is meant to contain your private keys and certificates, whereas the javax.net.ssl.trustStore
is meant to contain the CA certificates you're willing to trust when a remote party presents its certificate. In some cases, they can be one and the same store, although it's often better practice to use distinct stores (especially when they're file-based).
How to identify whether the .jks is a keystore or a truststore?
There's not much of a difference, you can theoretically use one store for both purposes; Not that it's recommended though..
However, if you use Java Keytool to -list
the contents of your stores, a Keystore should contain mainly PrivateKeyEntry
s and a Truststore should contain mainly trustedCertEntry
s
KeyStore:
Certificate fingerprint (SHA1): XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
<alias-1>, MMM dd, yyyy, PrivateKeyEntry,
Certificate fingerprint (SHA1): XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
<alias-2>, MMM dd, yyyy, PrivateKeyEntry,
TrustStore:
Certificate fingerprint (SHA1): XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
<alias-1>, MMM dd, yyyy, trustedCertEntry,
Certificate fingerprint (SHA1): XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
<alias-2>, MMM dd, yyyy, trustedCertEntry,
Relationship between key store, trust store, and certificate
Store:
keyStore
would usually hold private/public keys and theTrustStore
stores only public keys and represents the list of trusted parties i.e. CAPurpose: In SSL handshake purpose of
TrustStore
is to verify credentials and purpose ofkeyStore
is to provide credential.keyStore
is used to store your credential (server or client) i.e. private keys and certificates whileTrustStore
is used to store others credential (Certificates from CA) contain the CA certificates you're willing to trust when a remote party presents its certificate.TrustStore
andkeyStore
are very much similar in terms of construct and structure as both are managed bykeytool
command(binary comes with JDK installation insideJAVA_HOME/bin
).JAVA_HOME/JRE/Security/cacerts
is aTrustStore
, where java stores public certificates of root CA's to authenticate i.e. it is used to authenticate peers(i.e. servers). In Java, one file can represent bothKeyStore
vsTrustStore
but it's better to separate private and public credential both for security and maintenance reason.JAVA_HOME/bin/keytool
is a tool to manage key and certificates.KeyStore
is needed when you are setting up server side on SSL, it is used to store server's identity certificate, which server will present to a client on the connection while trust store setup on client side must contain to make the connection work. If you browser to connect to any website over SSL it verifies certificate presented by server against itsTrustStore
.
source
How to generate keystore and truststore
I followed This link.
1.Generate keystore(At server):
keytool -genkey -alias bmc -keyalg RSA -keystore KeyStore.jks -keysize 2048
2.Generate new ca-cert and ca-key:
openssl req -new -x509 -keyout ca-key -out ca-cert
3.Extracting cert/creating cert sign req(csr):
keytool -keystore KeyStore.jks -alias bmc -certreq -file cert-file
4.Sign the “cert-file” and cert-signed wil be the new cert:
openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out
cert-signed -days 365 -CAcreateserial -passin pass:yourpass
5.importing the ca-cert to keystore file:
keytool -keystore KeyStore.jks -alias CARoot -import -file ca-cert
6.import cert-signed to keystore:
keytool -keystore KeyStore.jks -alias bmc -import -file cert-signed
7.Copy ca-cert into client machine and generate truststore: (At client)
keytool -keystore truststore.jks -alias bmc -import -file ca-cert-s
8.Copy ca-cert into client machine and generate truststore: (At server)
keytool -keystore truststore.jks -alias bmc -import -file ca-cert-c
**Repeat the step(1-6) at client side and generate truststore at server side by importing ca-cert of client(step 8)
Renamed ca-cert after step 6.
Ex: ca-cert-s generated at server side and ca-cert-c at client and exchanged each other for generating truststore.
Should we point KeyStore and TrustStore to the same .jks file?
No. A truststore contains nothing but public data: the public certificates of CAs that you trust. A KeyStore contains a private key and its certificate: your digital identity. They may even be controlled by different people. Don't conflate their functions.
Truststore and Keystore Definitions
A keystore contains private keys, and the certificates with their corresponding public keys.
A truststore contains certificates from other parties that you expect to communicate with, or from Certificate Authorities that you trust to identify other parties.
Why I need to provide both key store and trust store for an SSL connection to IBM MQ
As per SSL configuration of the Websphere MQ Java/JMS client guide, point 2. Create keyStore you are most likely using certificates for client authentication. This authentication setup requires a keyStore:
Complete this section only if you wish to have client authentication when a connection is made to a Queue Manager. If client authentication has not been specified on the channel, you do not need to complete this section.
The keyStore is essentially the same as a trustStore, except that it holds the client's personal certificate, and the JSSE requires a password for access. You can in fact add your personal certificate to the trustStore created earlier and it will act as both trustStore and keyStore, but the password that was not required before will now need to be passed to the JSSE in order for it to access your personal certificate.
You can verify this on the server as shown in the
Using self-signed certificates for mutual authentication of a client and queue manager guide by running:
DISPLAY CHSTATUS(<your channel name>) SSLPEER SSLCERTI
Related Topics
Should I Always Use a Parallel Stream When Possible
Scanning Java Annotations At Runtime
Swing Animation Running Extremely Slow
Appending to an Objectoutputstream
Replace a Character At a Specific Index in a String
Best Way to Format a Double Value to 2 Decimal Places
How to Sanity Check a Date in Java
How to Implement a Single Instance Java Application
How Does the "Final" Keyword in Java Work (I Can Still Modify an Object.)
To Prevent a Memory Leak, the Jdbc Driver Has Been Forcibly Unregistered
Are Getters and Setters Poor Design? Contradictory Advice Seen
Simplest Way to Read Json from a Url in Java
How to Get Utf-8 Working in Java Webapps
When Should I Use "This" in a Class
Program Not Accessing Method Paintcomponent() of Extended Jpanel Class
Java: Recommended Solution For Deep Cloning/Copying an Instance