I understand that the keystore would usually hold private/public keys and the trust store only public keys (and represents the list of trusted parties you intend to communicate with). Well, that's my first assumption, so if that's not correct, I probably haven't started very well…
I was interested though in understanding how / when you distinguish the stores when using keytool.
So, far I've created a keystore using
keytool -import -alias bob -file bob.crt -keystore keystore.ks
which creates my keystore.ks file. I answer yes
to the question do I trust bob but it is unclear to me if this has created a keystore file or a truststore file? I can set up my application to use the file as either.
-Djavax.net.ssl.keyStore=keystore.ks -Djavax.net.ssl.keyStorePassword=x
-Djavax.net.ssl.trustStore=keystore.ks -Djavax.net.ssl.trustStorePassword=x
and with System.setProperty( "javax.net.debug", "ssl")
set, I can see the certificate under trusted certifications (but not under the keystore section). The particular certificate I'm importing has only a public key and I intend to use it to send stuff over an SSL connection to Bob (but perhaps that's best left for another question!).
Any pointers or clarifications would be much appreciated. Is the output of keytool the same whatever you import and its just convention that says one is a keystore and the other a trust store? What's the relationship when using SSL etc?
Best Answer
The terminology is a bit confusing indeed, but both
javax.net.ssl.keyStore
andjavax.net.ssl.trustStore
are used to specify which keystores to use, for two different purposes. Keystores come in various formats and are not even necessarily files (see this question), andkeytool
is just a tool to perform various operations on them (import/export/list/...).The
javax.net.ssl.keyStore
andjavax.net.ssl.trustStore
parameters are the default parameters used to buildKeyManager
s andTrustManager
s (respectively), then used to build anSSLContext
which essentially contains the SSL/TLS settings to use when making an SSL/TLS connection via anSSLSocketFactory
or anSSLEngine
. These system properties are just where the default values come from, which is then used bySSLContext.getDefault()
, itself used bySSLSocketFactory.getDefault()
for example. (All of this can be customized via the API in a number of places, if you don't want to use the default values and that specificSSLContext
s for a given purpose.)The difference between the
KeyManager
andTrustManager
(and thus betweenjavax.net.ssl.keyStore
andjavax.net.ssl.trustStore
) is as follows (quoted from the JSSE ref guide):(Other parameters are available and their default values are described in the JSSE ref guide. Note that while there is a default value for the trust store, there isn't one for the key store.)
Essentially, the keystore in
javax.net.ssl.keyStore
is meant to contain your private keys and certificates, whereas thejavax.net.ssl.trustStore
is meant to contain the CA certificates you're willing to trust when a remote party presents its certificate. In some cases, they can be one and the same store, although it's often better practice to use distinct stores (especially when they're file-based).