Trust Store vs Key Store - creating with keytool
KeyStores are for private keys and certificates, they need a little π (a.k.a keystorePassword). On the other hand, TrustStores are full of public certificates we trust implicitly, handled by the same KeyStore
class in Java but loaded using a truststorePassword. Keep your private keys and trusted certs neatly divided for best security.
Key roles in SSL/TLS communications
KeyStore
and TrustStore
are the backbone of SSL/TLS secure communication. Let's dissect their roles during an SSL handshake:
KeyStore in action
- Servers whip out
KeyStore
certificates to greet clients. - When clients want to return the favor, they provide a
KeyStore
too. (It's a Mutual Authentication party!) - The
KeyStore
is designed for guard duty β keeping private keys secure, accessible only with the keystorePassword.
TrustStore steps up
- When it's time to shake hands, clients use
TrustStore
to vet the server's credentials. - The 'bouncer' of the system, the TrustManager, decides if the foreign credentials pass muster.
- The
TrustStore
must be stocked with CA certificates we deem trustworthy, which could also include public keys and certificate chains.
Commanding keystores and truststores with keytool
Keytool basics
- Generate: Get your
KeyStore
/TrustStore
up and running usingkeytool -genkey -alias mykey -keystore keystore.jks
. - DIY-signing: Whip up a self-signed certificate, handy for testing scenarios when a CA is playing hard to get.
- Import: To let a trusted certificate into your
TrustStore
, usekeytool -import -alias cacert -file ca_certificate.pem -keystore truststore.jks
.
Pro tips
- Export: On occasion, you might need to let a certificate strut its stuff outside. Do that with
keytool -export -alias mycert -file mycert.crt -keystore keystore.jks
. - Peeking inside: Cure your curiosity about a store's contents with
keytool -list -v -keystore keystore.jks
.
Customization and variety
- While JKS is a commoner, keystores come in different flavors like the exotic PKCS12 or the security-conscious BKS.
- Flex the Java API when you need to tailor-fit your keystores and truststores.
Protection plans and best practices
Separation or union?
While one file can pull double duty as a KeyStore
and TrustStore
, you'll thank yourself for maintaining clarity by separating items that need protection (private keys) from entities that vouch for trust (public certificates).
Defaults at the helm
Absent custom configs, Java will step in with its default KeyManagers
and TrustManagers
. If you fancy non-standard settings, consider customizing via the SSLContext
.
Java system properties
Fancy an easier runtime access to your stores? Specify the paths with Java system properties -Djavax.net.ssl.trustStore
and -Djavax.net.ssl.keyStore
.
Troubleshooting and useful tips
Truststore red-alerts
A misconfigured or incomplete truststore can lead to SSLHandshakeExceptions. Store properly, handle carefully!
Protecting KeyStore
KeyStore
security is paramount. Employ key management best practices β rotate passwords, pick strong algorithms, and consider not leaving your KeyStore
in a coffee shop.
Keytool mishaps
- Keytool error messages are your besties. Watch for complaints about missing aliases, deceptive passwords, or vanished files.
- While importing certificates, check if the format is right (PEM is popular) and avoid alias collisions.
Personalizing SSLContext
Tune your SSLContext
for bespoke setups with custom KeyManagers
and/or TrustManagers
.
Was this article helpful?