Wednesday, December 12, 2012

Difference between trustStore vs keyStore in Java SSL

Main difference between trustStore vs keyStore is that trustStore (as name suggest) is used to store certificates from trusted Certificate authorities(CA) which is used to verify certificate presented by Server in SSL Connection while keyStore is used to store private key and own identity certificate which program should present to other party (Server or client) to verify its identity. That was one liner difference between trustStore vs  keyStore in Java but no dobut these two terms are quite confusion not just for any one who is first time doing SSL connection in Java but also many intermediate and senior level programmer. One reason of this could be SSL setup being one time job and not many programmers gets opportunity to do that. In this Java article we will explore both keystore and truststore and understand key differences between them. By the way you can use keytool command to view certificates from truststore and keystore. keytool command comes with Java installation and its available in bin directory of JAVA_HOME.


KeyStore vs TrustStore

trusstore vs keystore in Java
In order to understand difference between keyStore and trustStore you need to understand How SSL conversation happens between client and server because this is the starting point of confusion, many Java programmer doesn't pay attention whether they are implementing server side of SSL connection or client side of SSL Connection. One example is setting up SSL for tomcat is server side of SSL while setting up JDBC over SSL is client side of SSL connection. If you are implementing SSL on Server side you need a KeyStore to store your server certificate and private key. Anytime a client will connect to server, server will present its certificate stored in KeyStore and client will verify that certificate by comparing with certificates stored on its trustStore.

Let's see difference between truststore vs keystore in point format which is much clear and easy to understand :

1) Keystore is used to store your credential (server or client) while truststore is used to store others credential (Certificates from CA).

2) Keystore is needed when you are setting up server side on SSL, it is used to store server's identity certificate, which server will present to client on connection while truststore setup on client side must contain to make the connection work. If you browser to connect to any website over SSL it verifies certificate presented by server against its truststore.

3) Though I omitted this on last section to reduce confusion but you can have both keystore and truststore on client and server side if client also needs to authenticate itself on server. In this case client will store its private key and identify certificate on keystore and server will authenticate client against certificate stored on server's truststore.

4) In Java -javax.net.ssl.keyStore property is used to specify keystore while -javax.net.ssl.trustStore is used to specify trustStore.

5) In Java one file can represent both keystore vs truststore but its better to separate private and public credential both for security and maintenance reason.

6) When you install JDK or JRE on your machine, Java comes with its own truststore (collection of certificate from well known CA like verisign, goDaddy, thwarte etc. you can find this file inside

JAVA_HOME/JRE/Security/cacerts where JAVA_HOME is your JDK Installation directory.

7) keytool  command (binary comes with JDK installation inside JAVA_HOME/bin) can be used to create and view both keyStore and trustStore.

If you are still not clear with what is truststore and keystore in Java or difference between keystore and truststore than just remember one line keystore is used to store server's own certificate while truststore is used to store certificate of other parties issued by CA like verisign or goDaday or even self signed certificates.

Other Java tutorials you may like

3 comments:

  1. Hi

    Still Im confused with point-3

    That is we can configure both keystore and truststore in tomcat .

    Means , is it like configuring the truststore in server.xml is equivalent to configuring the system property java.net.ssl.truststore or is it different

    And also , Can u suggest test scenario on how to verify whether it is working fine after configuring

    ReplyDelete
  2. To explain it better. Truststore basically contains the certificates of CA which actually contains the public key(RSA) of CAs.
    One publishes its public key but not private key. Trust Store contains public keys of well known CAs. These public keys are used to verify if the server you are trying to connect is legitimate.

    Keystore and truststore are actually same. To be precise Truststore is a keystore. Keystore is a more generic term. No one stops you from storing a private key in a Truststore. The name Truststore is given to a keystore which only contain public keys. So the name Truststore is because of the content.

    Ref:http://download.java.net/jdk8/docs/technotes/guides/security/jsse/JSSERefGuide.html#ConfigSmartcard

    ReplyDelete
  3. Can anybody explain the each line of how these keystore/truststore works in SSL OR some reference?

    ReplyDelete

Java67 Headline Animator