Key Stores vs. Trust Stores: What's the Difference in Keytool?

Key Stores and Trust Stores: A Keytool Distinction

When working with keytool, understanding the distinction between key stores and trust stores is essential. While a key store typically holds private/public keys, a trust store holds only public keys and defines the trusted parties for communication.

Creating a Key Store

Using keytool, you can create a key store using:

keytool -import -alias bob -file bob.crt -keystore keystore.ks

This command imports a certificate with a public key into the keystore.ks file.

Key Store vs. Trust Store Classification

Determining when a store is a key store or trust store in keytool is not always straightforward. The output of keytool remains the same regardless of the imported certificate. It is convention that determines the classification:

• A key store holds private keys and certificates.
• A trust store holds trusted public keys.

Relationship in SSL

In SSL/TLS connections, the key store is used by the client to authenticate itself to the server. It contains the private key and certificate that the client uses to prove its identity. The trust store is used by both the client and server to verify the authenticity of the other party's certificate. It contains the public keys of trusted certificate authorities (CAs).

Default System Properties

The following system properties can be used to specify key store and trust store locations:

• javax.net.ssl.keyStore
• javax.net.ssl.trustStore

These properties provide default values for building KeyManagers and TrustManagers, which are essential components for SSL/TLS connections.

The above is the detailed content of Key Stores vs. Trust Stores: What's the Difference in Keytool?. For more information, please follow other related articles on the PHP Chinese website!