Trust Store vs Key Store - creating with keytool

java

ssl

tls

keytool

byNikita Barsukov·Oct 18, 2024

KeyStore ks = KeyStore.getInstance("JKS");
ks.load(null, "changeit".toCharArray()); // Just initializing a KeyStore... nothing earth-shattering!

TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(ks); // TrustManager now believing every key from our KeyStore. The trust is strong with this one!

KeyStores are for private keys and certificates, they need a little 💖 (a.k.a keystorePassword). On the other hand, TrustStores are full of public certificates we trust implicitly, handled by the same KeyStore class in Java but loaded using a truststorePassword. Keep your private keys and trusted certs neatly divided for best security.

Key roles in SSL/TLS communications

KeyStore and TrustStore are the backbone of SSL/TLS secure communication. Let's dissect their roles during an SSL handshake:

KeyStore in action

Servers whip out KeyStore certificates to greet clients.
When clients want to return the favor, they provide a KeyStore too. (It's a Mutual Authentication party!)
The KeyStore is designed for guard duty — keeping private keys secure, accessible only with the keystorePassword.

TrustStore steps up

When it's time to shake hands, clients use TrustStore to vet the server's credentials.
The 'bouncer' of the system, the TrustManager, decides if the foreign credentials pass muster.
The TrustStore must be stocked with CA certificates we deem trustworthy, which could also include public keys and certificate chains.

Commanding keystores and truststores with keytool

Keytool basics

Generate: Get your KeyStore/TrustStore up and running using keytool -genkey -alias mykey -keystore keystore.jks.
DIY-signing: Whip up a self-signed certificate, handy for testing scenarios when a CA is playing hard to get.
Import: To let a trusted certificate into your TrustStore, use keytool -import -alias cacert -file ca_certificate.pem -keystore truststore.jks.

Pro tips

Export: On occasion, you might need to let a certificate strut its stuff outside. Do that with keytool -export -alias mycert -file mycert.crt -keystore keystore.jks.
Peeking inside: Cure your curiosity about a store's contents with keytool -list -v -keystore keystore.jks.

Customization and variety

While JKS is a commoner, keystores come in different flavors like the exotic PKCS12 or the security-conscious BKS.
Flex the Java API when you need to tailor-fit your keystores and truststores.

Protection plans and best practices

Separation or union?

While one file can pull double duty as a KeyStore and TrustStore, you'll thank yourself for maintaining clarity by separating items that need protection (private keys) from entities that vouch for trust (public certificates).

Defaults at the helm

Absent custom configs, Java will step in with its default KeyManagers and TrustManagers. If you fancy non-standard settings, consider customizing via the SSLContext.

Java system properties

Fancy an easier runtime access to your stores? Specify the paths with Java system properties -Djavax.net.ssl.trustStore and -Djavax.net.ssl.keyStore.

Troubleshooting and useful tips

Truststore red-alerts

A misconfigured or incomplete truststore can lead to SSLHandshakeExceptions. Store properly, handle carefully!

Protecting KeyStore

KeyStore security is paramount. Employ key management best practices — rotate passwords, pick strong algorithms, and consider not leaving your KeyStore in a coffee shop.

Keytool mishaps

Keytool error messages are your besties. Watch for complaints about missing aliases, deceptive passwords, or vanished files.
While importing certificates, check if the format is right (PEM is popular) and avoid alias collisions.